2022-10-05 22:53:54 +00:00
package service
import (
"bytes"
"context"
2024-02-22 19:23:12 +00:00
"crypto/rand"
"crypto/rsa"
2023-01-31 14:46:01 +00:00
"crypto/tls"
2024-02-22 19:23:12 +00:00
"crypto/x509"
"crypto/x509/pkix"
2025-03-19 13:27:55 +00:00
_ "embed"
2024-02-22 19:23:12 +00:00
"encoding/asn1"
2023-02-17 19:26:51 +00:00
"encoding/base64"
2023-04-25 13:36:01 +00:00
"encoding/json"
2024-02-22 19:23:12 +00:00
"encoding/pem"
2023-03-27 18:43:01 +00:00
"errors"
2023-01-23 23:05:24 +00:00
"fmt"
2024-02-22 19:23:12 +00:00
"math/big"
2022-10-05 22:53:54 +00:00
"net/http"
"net/http/httptest"
2024-10-09 18:47:27 +00:00
"net/url"
2023-01-31 14:46:01 +00:00
"os"
2022-10-05 22:53:54 +00:00
"strings"
2024-04-18 21:01:37 +00:00
"sync"
2023-01-23 23:05:24 +00:00
"sync/atomic"
2022-10-05 22:53:54 +00:00
"testing"
2024-02-22 19:23:12 +00:00
"time"
2022-10-05 22:53:54 +00:00
2024-10-09 18:47:27 +00:00
eeservice "github.com/fleetdm/fleet/v4/ee/server/service"
2025-03-20 16:36:00 +00:00
"github.com/fleetdm/fleet/v4/ee/server/service/digicert"
2024-08-21 18:21:11 +00:00
"github.com/fleetdm/fleet/v4/pkg/optjson"
2022-10-05 22:53:54 +00:00
"github.com/fleetdm/fleet/v4/server/authz"
"github.com/fleetdm/fleet/v4/server/config"
2023-02-15 18:01:44 +00:00
"github.com/fleetdm/fleet/v4/server/contexts/license"
2023-01-23 23:05:24 +00:00
"github.com/fleetdm/fleet/v4/server/contexts/viewer"
2024-05-30 21:18:42 +00:00
"github.com/fleetdm/fleet/v4/server/datastore/mysql"
2022-10-05 22:53:54 +00:00
"github.com/fleetdm/fleet/v4/server/fleet"
2023-11-30 23:19:18 +00:00
fleetmdm "github.com/fleetdm/fleet/v4/server/mdm"
2023-03-13 13:33:32 +00:00
apple_mdm "github.com/fleetdm/fleet/v4/server/mdm/apple"
2023-03-17 21:52:30 +00:00
"github.com/fleetdm/fleet/v4/server/mdm/apple/mobileconfig"
2024-04-29 19:43:15 +00:00
mdmlifecycle "github.com/fleetdm/fleet/v4/server/mdm/lifecycle"
2024-02-26 15:26:00 +00:00
nanodep_client "github.com/fleetdm/fleet/v4/server/mdm/nanodep/client"
2024-05-30 21:18:42 +00:00
"github.com/fleetdm/fleet/v4/server/mdm/nanodep/tokenpki"
2024-01-12 02:28:48 +00:00
"github.com/fleetdm/fleet/v4/server/mdm/nanomdm/mdm"
nanomdm_pushsvc "github.com/fleetdm/fleet/v4/server/mdm/nanomdm/push/service"
2022-10-05 22:53:54 +00:00
"github.com/fleetdm/fleet/v4/server/mock"
2024-05-30 21:18:42 +00:00
mdmmock "github.com/fleetdm/fleet/v4/server/mock/mdm"
2023-01-31 14:46:01 +00:00
nanodep_mock "github.com/fleetdm/fleet/v4/server/mock/nanodep"
2025-03-14 17:16:51 +00:00
scep_mock "github.com/fleetdm/fleet/v4/server/mock/scep"
2023-01-23 23:05:24 +00:00
"github.com/fleetdm/fleet/v4/server/ptr"
2022-10-05 22:53:54 +00:00
"github.com/fleetdm/fleet/v4/server/test"
2024-06-17 13:27:31 +00:00
kitlog "github.com/go-kit/log"
2023-02-15 18:01:44 +00:00
"github.com/google/uuid"
2024-10-09 18:47:27 +00:00
"github.com/jmoiron/sqlx"
2024-04-18 21:01:37 +00:00
micromdm "github.com/micromdm/micromdm/mdm/mdm"
2024-11-20 17:47:11 +00:00
"github.com/micromdm/nanolib/log/stdlogfmt"
2025-03-19 13:27:55 +00:00
"github.com/micromdm/plist"
2024-09-10 19:52:17 +00:00
"github.com/smallstep/pkcs7"
2024-07-28 14:17:27 +00:00
"github.com/stretchr/testify/assert"
2022-10-05 22:53:54 +00:00
"github.com/stretchr/testify/require"
2025-02-18 23:49:02 +00:00
mdmtesting "github.com/fleetdm/fleet/v4/server/mdm/testing_utils"
2022-10-05 22:53:54 +00:00
)
2023-06-05 19:08:21 +00:00
type nopProfileMatcher struct { }
func ( nopProfileMatcher ) PreassignProfile ( ctx context . Context , pld fleet . MDMApplePreassignProfilePayload ) error {
return nil
}
func ( nopProfileMatcher ) RetrieveProfiles ( ctx context . Context , extHostID string ) ( fleet . MDMApplePreassignHostProfiles , error ) {
return fleet . MDMApplePreassignHostProfiles { } , nil
}
2023-05-10 20:22:08 +00:00
func setupAppleMDMService ( t * testing . T , license * fleet . LicenseInfo ) ( fleet . Service , context . Context , * mock . Store ) {
2022-10-05 22:53:54 +00:00
ds := new ( mock . Store )
cfg := config . TestConfig ( )
2024-04-18 21:01:37 +00:00
testCertPEM , testKeyPEM , err := generateCertWithAPNsTopic ( )
require . NoError ( t , err )
2024-05-30 21:18:42 +00:00
config . SetTestMDMConfig ( t , & cfg , testCertPEM , testKeyPEM , "../../server/service/testdata" )
2022-10-05 22:53:54 +00:00
ts := httptest . NewServer ( http . HandlerFunc ( func ( w http . ResponseWriter , r * http . Request ) {
switch {
case strings . Contains ( r . URL . Path , "/server/devices" ) :
2022-12-05 22:50:49 +00:00
_ , err := w . Write ( [ ] byte ( "{}" ) )
require . NoError ( t , err )
2022-10-05 22:53:54 +00:00
return
case strings . Contains ( r . URL . Path , "/session" ) :
2022-12-05 22:50:49 +00:00
_ , err := w . Write ( [ ] byte ( ` { "auth_session_token": "yoo"} ` ) )
require . NoError ( t , err )
2022-10-05 22:53:54 +00:00
return
2024-09-10 22:44:58 +00:00
case strings . Contains ( r . URL . Path , "/profile" ) :
_ , err := w . Write ( [ ] byte ( ` { "profile_uuid": "profile123"} ` ) )
require . NoError ( t , err )
2022-10-05 22:53:54 +00:00
}
} ) )
2023-01-23 23:05:24 +00:00
2024-05-30 21:18:42 +00:00
mdmStorage := & mdmmock . MDMAppleStore { }
2023-01-31 14:46:01 +00:00
depStorage := & nanodep_mock . Storage { }
pushFactory , _ := newMockAPNSPushProviderFactory ( )
pusher := nanomdm_pushsvc . New (
mdmStorage ,
mdmStorage ,
pushFactory ,
NewNanoMDMLogger ( kitlog . NewJSONLogger ( os . Stdout ) ) ,
)
2023-01-23 23:05:24 +00:00
opts := & TestServerOpts {
2023-06-05 19:08:21 +00:00
FleetConfig : & cfg ,
MDMStorage : mdmStorage ,
DEPStorage : depStorage ,
MDMPusher : pusher ,
License : license ,
ProfileMatcher : nopProfileMatcher { } ,
2023-01-31 14:46:01 +00:00
}
svc , ctx := newTestServiceWithConfig ( t , ds , cfg , nil , nil , opts )
2024-12-20 21:40:23 +00:00
mdmStorage . EnqueueCommandFunc = func ( ctx context . Context , id [ ] string , cmd * mdm . CommandWithSubtype ) ( map [ string ] error , error ) {
2023-01-31 14:46:01 +00:00
return nil , nil
2023-01-23 23:05:24 +00:00
}
2023-01-31 14:46:01 +00:00
mdmStorage . RetrievePushInfoFunc = func ( ctx context . Context , tokens [ ] string ) ( map [ string ] * mdm . Push , error ) {
res := make ( map [ string ] * mdm . Push , len ( tokens ) )
for _ , t := range tokens {
res [ t ] = & mdm . Push {
PushMagic : "" ,
Token : [ ] byte ( t ) ,
Topic : "" ,
}
}
return res , nil
2023-01-23 23:05:24 +00:00
}
2023-01-31 14:46:01 +00:00
mdmStorage . RetrievePushCertFunc = func ( ctx context . Context , topic string ) ( * tls . Certificate , string , error ) {
cert , err := tls . LoadX509KeyPair ( "testdata/server.pem" , "testdata/server.key" )
return & cert , "" , err
2023-01-23 23:05:24 +00:00
}
2023-01-31 14:46:01 +00:00
mdmStorage . IsPushCertStaleFunc = func ( ctx context . Context , topic string , staleToken string ) ( bool , error ) {
return false , nil
}
depStorage . RetrieveAuthTokensFunc = func ( ctx context . Context , name string ) ( * nanodep_client . OAuth1Tokens , error ) {
return & nanodep_client . OAuth1Tokens { } , nil
}
depStorage . RetrieveConfigFunc = func ( context . Context , string ) ( * nanodep_client . Config , error ) {
return & nanodep_client . Config {
BaseURL : ts . URL ,
} , nil
2023-01-23 23:05:24 +00:00
}
2022-10-05 22:53:54 +00:00
ds . AppConfigFunc = func ( ctx context . Context ) ( * fleet . AppConfig , error ) {
return & fleet . AppConfig {
OrgInfo : fleet . OrgInfo {
OrgName : "Foo Inc." ,
} ,
ServerSettings : fleet . ServerSettings {
ServerURL : "https://foo.example.com" ,
} ,
2023-03-27 19:30:29 +00:00
MDM : fleet . MDM {
EnabledAndConfigured : true ,
} ,
2022-10-05 22:53:54 +00:00
} , nil
}
ds . GetMDMAppleEnrollmentProfileByTokenFunc = func ( ctx context . Context , token string ) ( * fleet . MDMAppleEnrollmentProfile , error ) {
return nil , nil
}
ds . NewMDMAppleEnrollmentProfileFunc = func ( ctx context . Context , enrollmentPayload fleet . MDMAppleEnrollmentProfilePayload ) ( * fleet . MDMAppleEnrollmentProfile , error ) {
return & fleet . MDMAppleEnrollmentProfile {
ID : 1 ,
Token : "foo" ,
Type : fleet . MDMAppleEnrollmentTypeManual ,
EnrollmentURL : "https://foo.example.com?token=foo" ,
} , nil
}
ds . GetMDMAppleEnrollmentProfileByTokenFunc = func ( ctx context . Context , token string ) ( * fleet . MDMAppleEnrollmentProfile , error ) {
return nil , nil
}
ds . ListMDMAppleEnrollmentProfilesFunc = func ( ctx context . Context ) ( [ ] * fleet . MDMAppleEnrollmentProfile , error ) {
return nil , nil
}
ds . NewMDMAppleInstallerFunc = func ( ctx context . Context , name string , size int64 , manifest string , installer [ ] byte , urlToken string ) ( * fleet . MDMAppleInstaller , error ) {
return nil , nil
}
ds . MDMAppleInstallerFunc = func ( ctx context . Context , token string ) ( * fleet . MDMAppleInstaller , error ) {
return nil , nil
}
ds . MDMAppleInstallerDetailsByIDFunc = func ( ctx context . Context , id uint ) ( * fleet . MDMAppleInstaller , error ) {
return nil , nil
}
ds . DeleteMDMAppleInstallerFunc = func ( ctx context . Context , id uint ) error {
return nil
}
ds . MDMAppleInstallerDetailsByTokenFunc = func ( ctx context . Context , token string ) ( * fleet . MDMAppleInstaller , error ) {
return nil , nil
}
ds . ListMDMAppleInstallersFunc = func ( ctx context . Context ) ( [ ] fleet . MDMAppleInstaller , error ) {
return nil , nil
}
ds . MDMAppleListDevicesFunc = func ( ctx context . Context ) ( [ ] fleet . MDMAppleDevice , error ) {
return nil , nil
}
2023-03-27 18:43:01 +00:00
ds . GetNanoMDMEnrollmentFunc = func ( ctx context . Context , hostUUID string ) ( * fleet . NanoEnrollment , error ) {
return & fleet . NanoEnrollment { Enabled : false } , nil
2023-01-23 23:05:24 +00:00
}
2025-05-09 18:18:48 +00:00
ds . GetNanoMDMEnrollmentTimesFunc = func ( ctx context . Context , hostUUID string ) ( * time . Time , * time . Time , error ) {
return nil , nil , nil
}
2023-04-05 14:50:36 +00:00
ds . GetMDMAppleCommandRequestTypeFunc = func ( ctx context . Context , commandUUID string ) ( string , error ) {
return "" , nil
}
2024-02-07 12:24:24 +00:00
ds . MDMGetEULAMetadataFunc = func ( ctx context . Context ) ( * fleet . MDMEULA , error ) {
return & fleet . MDMEULA { } , nil
2023-05-02 13:09:33 +00:00
}
2024-02-07 12:24:24 +00:00
ds . MDMGetEULABytesFunc = func ( ctx context . Context , token string ) ( * fleet . MDMEULA , error ) {
return & fleet . MDMEULA { } , nil
2023-05-02 13:09:33 +00:00
}
2024-02-07 12:24:24 +00:00
ds . MDMInsertEULAFunc = func ( ctx context . Context , eula * fleet . MDMEULA ) error {
2023-05-02 13:09:33 +00:00
return nil
}
2024-02-07 12:24:24 +00:00
ds . MDMDeleteEULAFunc = func ( ctx context . Context , token string ) error {
2023-05-02 13:09:33 +00:00
return nil
}
2024-12-17 22:14:12 +00:00
ds . ValidateEmbeddedSecretsFunc = func ( ctx context . Context , documents [ ] string ) error {
return nil
}
ds . ExpandEmbeddedSecretsFunc = func ( ctx context . Context , document string ) ( string , error ) {
return document , nil
}
2024-12-30 23:58:39 +00:00
ds . ExpandEmbeddedSecretsAndUpdatedAtFunc = func ( ctx context . Context , document string ) ( string , * time . Time , error ) {
return document , nil , nil
}
2025-02-18 23:49:02 +00:00
apnsCert , apnsKey , err := mysql . GenerateTestCertBytes ( mdmtesting . NewTestMDMAppleCertTemplate ( ) )
2024-05-30 21:18:42 +00:00
require . NoError ( t , err )
crt , key , err := apple_mdm . NewSCEPCACertKey ( )
require . NoError ( t , err )
certPEM := tokenpki . PEMCertificate ( crt . Raw )
keyPEM := tokenpki . PEMRSAPrivateKey ( key )
2024-10-09 18:47:27 +00:00
ds . GetAllMDMConfigAssetsByNameFunc = func ( ctx context . Context , assetNames [ ] fleet . MDMAssetName ,
2024-11-05 18:12:22 +00:00
_ sqlx . QueryerContext ,
) ( map [ fleet . MDMAssetName ] fleet . MDMConfigAsset , error ) {
2024-05-30 21:18:42 +00:00
return map [ fleet . MDMAssetName ] fleet . MDMConfigAsset {
fleet . MDMAssetAPNSCert : { Value : apnsCert } ,
fleet . MDMAssetAPNSKey : { Value : apnsKey } ,
fleet . MDMAssetCACert : { Value : certPEM } ,
fleet . MDMAssetCAKey : { Value : keyPEM } ,
} , nil
}
2023-01-23 23:05:24 +00:00
2024-09-10 22:44:58 +00:00
ds . GetABMTokenOrgNamesAssociatedWithTeamFunc = func ( ctx context . Context , teamID * uint ) ( [ ] string , error ) {
return [ ] string { "foobar" } , nil
}
ds . ListABMTokensFunc = func ( ctx context . Context ) ( [ ] * fleet . ABMToken , error ) {
return [ ] * fleet . ABMToken { { ID : 1 } } , nil
}
2023-01-16 20:06:30 +00:00
return svc , ctx , ds
2022-10-05 22:53:54 +00:00
}
func TestAppleMDMAuthorization ( t * testing . T ) {
2023-05-10 20:22:08 +00:00
svc , ctx , ds := setupAppleMDMService ( t , & fleet . LicenseInfo { Tier : fleet . TierPremium } )
2022-10-05 22:53:54 +00:00
2024-09-13 17:53:05 +00:00
ds . GetEnrollSecretsFunc = func ( ctx context . Context , teamID * uint ) ( [ ] * fleet . EnrollSecret , error ) {
return [ ] * fleet . EnrollSecret {
{
Secret : "abcd" ,
TeamID : nil ,
} ,
{
Secret : "efgh" ,
TeamID : nil ,
} ,
} , nil
}
2022-10-05 22:53:54 +00:00
checkAuthErr := func ( t * testing . T , err error , shouldFailWithAuth bool ) {
t . Helper ( )
if shouldFailWithAuth {
require . Error ( t , err )
require . Contains ( t , err . Error ( ) , authz . ForbiddenErrorMessage )
} else {
require . NoError ( t , err )
}
}
testAuthdMethods := func ( t * testing . T , user * fleet . User , shouldFailWithAuth bool ) {
2022-11-15 14:08:05 +00:00
ctx := test . UserContext ( ctx , user )
2023-05-09 17:00:18 +00:00
_ , err := svc . UploadMDMAppleInstaller ( ctx , "foo" , 3 , bytes . NewReader ( [ ] byte ( "foo" ) ) )
2022-10-05 22:53:54 +00:00
checkAuthErr ( t , err , shouldFailWithAuth )
_ , err = svc . GetMDMAppleInstallerByID ( ctx , 42 )
checkAuthErr ( t , err , shouldFailWithAuth )
err = svc . DeleteMDMAppleInstaller ( ctx , 42 )
checkAuthErr ( t , err , shouldFailWithAuth )
_ , err = svc . ListMDMAppleInstallers ( ctx )
checkAuthErr ( t , err , shouldFailWithAuth )
_ , err = svc . ListMDMAppleDevices ( ctx )
checkAuthErr ( t , err , shouldFailWithAuth )
2025-07-01 16:28:13 +00:00
}
2023-05-02 13:09:33 +00:00
2025-07-01 16:28:13 +00:00
// some eula methods read and write access for gitops users. We test them separately
// from the other MDM methods.
testEULAMethods := func ( t * testing . T , user * fleet . User , shouldFailWithAuth bool ) {
ctx := test . UserContext ( ctx , user )
_ , err := svc . MDMGetEULAMetadata ( ctx )
2023-05-02 13:09:33 +00:00
checkAuthErr ( t , err , shouldFailWithAuth )
2025-07-01 16:28:13 +00:00
err = svc . MDMCreateEULA ( ctx , "eula.pdf" , bytes . NewReader ( [ ] byte ( "%PDF-" ) ) , false )
2023-05-02 13:09:33 +00:00
checkAuthErr ( t , err , shouldFailWithAuth )
2025-07-01 16:28:13 +00:00
err = svc . MDMDeleteEULA ( ctx , "foo" , false )
2023-05-02 13:09:33 +00:00
checkAuthErr ( t , err , shouldFailWithAuth )
2022-10-05 22:53:54 +00:00
}
// Only global admins can access the endpoints.
testAuthdMethods ( t , test . UserAdmin , false )
2025-07-01 16:28:13 +00:00
// Global admin and gitops users can access the eula endpoints.
testEULAMethods ( t , test . UserAdmin , false )
testEULAMethods ( t , test . UserGitOps , false )
2022-10-05 22:53:54 +00:00
// All other users should not have access to the endpoints.
for _ , user := range [ ] * fleet . User {
test . UserNoRoles ,
test . UserMaintainer ,
test . UserObserver ,
2023-04-05 18:23:49 +00:00
test . UserObserverPlus ,
2022-10-05 22:53:54 +00:00
test . UserTeamAdminTeam1 ,
} {
testAuthdMethods ( t , user , true )
2025-07-01 16:28:13 +00:00
testEULAMethods ( t , user , true )
2022-10-05 22:53:54 +00:00
}
// Token authenticated endpoints can be accessed by anyone.
2022-11-15 14:08:05 +00:00
ctx = test . UserContext ( ctx , test . UserNoRoles )
2022-10-05 22:53:54 +00:00
_ , err := svc . GetMDMAppleInstallerByToken ( ctx , "foo" )
require . NoError ( t , err )
2024-07-16 16:44:48 +00:00
_ , err = svc . GetMDMAppleEnrollmentProfileByToken ( ctx , "foo" , "" )
2022-10-05 22:53:54 +00:00
require . NoError ( t , err )
_ , err = svc . GetMDMAppleInstallerDetailsByToken ( ctx , "foo" )
require . NoError ( t , err )
2024-02-07 12:24:24 +00:00
_ , err = svc . MDMGetEULABytes ( ctx , "foo" )
2023-05-02 13:09:33 +00:00
require . NoError ( t , err )
2022-12-19 13:37:08 +00:00
// Generating a new key pair does not actually make any changes to fleet, or expose any
// information. The user must configure fleet with the new key pair and restart the server.
_ , err = svc . NewMDMAppleDEPKeyPair ( ctx )
require . NoError ( t , err )
2023-01-16 15:22:12 +00:00
2024-01-27 00:57:19 +00:00
// Should work for all user types
for _ , user := range [ ] * fleet . User {
test . UserAdmin ,
test . UserMaintainer ,
test . UserObserver ,
test . UserObserverPlus ,
test . UserTeamAdminTeam1 ,
test . UserTeamGitOpsTeam1 ,
test . UserGitOps ,
test . UserTeamMaintainerTeam1 ,
test . UserTeamObserverTeam1 ,
test . UserTeamObserverPlusTeam1 ,
} {
usrctx := test . UserContext ( ctx , user )
_ , err = svc . GetMDMManualEnrollmentProfile ( usrctx )
require . NoError ( t , err )
}
2023-01-16 15:22:12 +00:00
// Must be device-authenticated, should fail
_ , err = svc . GetDeviceMDMAppleEnrollmentProfile ( ctx )
checkAuthErr ( t , err , true )
// works with device-authenticated context
2025-04-24 17:20:21 +00:00
hostCtx := test . HostContext ( context . Background ( ) , & fleet . Host { } )
_ , err = svc . GetDeviceMDMAppleEnrollmentProfile ( hostCtx )
2023-01-16 15:22:12 +00:00
require . NoError ( t , err )
2023-04-03 18:25:49 +00:00
hostUUIDsToTeamID := map [ string ] uint {
"host1" : 1 ,
"host2" : 1 ,
"host3" : 2 ,
"host4" : 0 ,
}
ds . ListHostsLiteByUUIDsFunc = func ( ctx context . Context , filter fleet . TeamFilter , uuids [ ] string ) ( [ ] * fleet . Host , error ) {
hosts := make ( [ ] * fleet . Host , 0 , len ( uuids ) )
for _ , uuid := range uuids {
tmID := hostUUIDsToTeamID [ uuid ]
if tmID == 0 {
hosts = append ( hosts , & fleet . Host { UUID : uuid , TeamID : nil } )
} else {
hosts = append ( hosts , & fleet . Host { UUID : uuid , TeamID : & tmID } )
}
}
return hosts , nil
}
rawB64FreeCmd := base64 . RawStdEncoding . EncodeToString ( [ ] byte ( ` < ? xml version = "1.0" encoding = "UTF-8" ? >
< ! DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd" >
< plist version = "1.0" >
< dict >
< key > Command < / key >
< dict >
< key > RequestType < / key >
< string > FooBar < / string >
< / dict >
< key > CommandUUID < / key >
< string > uuid < / string >
< / dict >
< / plist > ` ) )
2023-04-17 15:45:16 +00:00
t . Run ( "EnqueueMDMAppleCommand" , func ( t * testing . T ) {
enqueueCmdCases := [ ] struct {
desc string
user * fleet . User
uuids [ ] string
shoudFailWithAuth bool
} {
{ "no role" , test . UserNoRoles , [ ] string { "host1" , "host2" , "host3" , "host4" } , true } ,
{ "maintainer can run" , test . UserMaintainer , [ ] string { "host1" , "host2" , "host3" , "host4" } , false } ,
{ "admin can run" , test . UserAdmin , [ ] string { "host1" , "host2" , "host3" , "host4" } , false } ,
{ "observer cannot run" , test . UserObserver , [ ] string { "host1" , "host2" , "host3" , "host4" } , true } ,
{ "team 1 admin can run team 1" , test . UserTeamAdminTeam1 , [ ] string { "host1" , "host2" } , false } ,
{ "team 2 admin can run team 2" , test . UserTeamAdminTeam2 , [ ] string { "host3" } , false } ,
{ "team 1 maintainer can run team 1" , test . UserTeamMaintainerTeam1 , [ ] string { "host1" , "host2" } , false } ,
{ "team 1 observer cannot run team 1" , test . UserTeamObserverTeam1 , [ ] string { "host1" , "host2" } , true } ,
{ "team 1 admin cannot run team 2" , test . UserTeamAdminTeam1 , [ ] string { "host3" } , true } ,
{ "team 1 admin cannot run no team" , test . UserTeamAdminTeam1 , [ ] string { "host4" } , true } ,
{ "team 1 admin cannot run mix of team 1 and 2" , test . UserTeamAdminTeam1 , [ ] string { "host1" , "host3" } , true } ,
}
for _ , c := range enqueueCmdCases {
t . Run ( c . desc , func ( t * testing . T ) {
ctx = test . UserContext ( ctx , c . user )
2023-11-01 14:13:12 +00:00
_ , err = svc . EnqueueMDMAppleCommand ( ctx , rawB64FreeCmd , c . uuids )
2023-04-17 15:45:16 +00:00
checkAuthErr ( t , err , c . shoudFailWithAuth )
} )
}
2023-04-03 18:25:49 +00:00
2023-04-17 15:45:16 +00:00
// test with a command that requires a premium license
ctx = test . UserContext ( ctx , test . UserAdmin )
ctx = license . NewContext ( ctx , & fleet . LicenseInfo { Tier : fleet . TierFree } )
rawB64PremiumCmd := base64 . RawStdEncoding . EncodeToString ( [ ] byte ( fmt . Sprintf ( ` < ? xml version = "1.0" encoding = "UTF-8" ? >
2023-04-03 18:25:49 +00:00
< ! DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd" >
< plist version = "1.0" >
< dict >
< key > Command < / key >
< dict >
< key > RequestType < / key >
< string > % s < / string >
< / dict >
< key > CommandUUID < / key >
< string > uuid < / string >
< / dict >
< / plist > ` , "DeviceLock" ) ) )
2023-11-01 14:13:12 +00:00
_ , err = svc . EnqueueMDMAppleCommand ( ctx , rawB64PremiumCmd , [ ] string { "host1" } )
2023-04-17 15:45:16 +00:00
require . Error ( t , err )
require . ErrorContains ( t , err , fleet . ErrMissingLicense . Error ( ) )
} )
2023-04-05 14:50:36 +00:00
cmdUUIDToHostUUIDs := map [ string ] [ ] string {
"uuidTm1" : { "host1" , "host2" } ,
"uuidTm2" : { "host3" } ,
"uuidNoTm" : { "host4" } ,
"uuidMixTm1Tm2" : { "host1" , "host3" } ,
}
2023-11-01 14:13:12 +00:00
getResults := func ( commandUUID string ) ( [ ] * fleet . MDMCommandResult , error ) {
2023-04-05 14:50:36 +00:00
hosts := cmdUUIDToHostUUIDs [ commandUUID ]
2023-11-01 14:13:12 +00:00
res := make ( [ ] * fleet . MDMCommandResult , 0 , len ( hosts ) )
2023-04-05 14:50:36 +00:00
for _ , h := range hosts {
2023-11-01 14:13:12 +00:00
res = append ( res , & fleet . MDMCommandResult {
HostUUID : h ,
2023-04-05 14:50:36 +00:00
} )
}
return res , nil
}
2023-11-01 14:13:12 +00:00
ds . GetMDMAppleCommandResultsFunc = func ( ctx context . Context , commandUUID string ) ( [ ] * fleet . MDMCommandResult , error ) {
return getResults ( commandUUID )
}
ds . GetMDMCommandPlatformFunc = func ( ctx context . Context , commandUUID string ) ( string , error ) {
return "darwin" , nil
}
2023-04-17 15:45:16 +00:00
t . Run ( "GetMDMAppleCommandResults" , func ( t * testing . T ) {
cmdResultsCases := [ ] struct {
desc string
user * fleet . User
cmdUUID string
shoudFailWithAuth bool
} {
{ "no role" , test . UserNoRoles , "uuidTm1" , true } ,
{ "maintainer can view" , test . UserMaintainer , "uuidTm1" , false } ,
{ "maintainer can view" , test . UserMaintainer , "uuidTm2" , false } ,
{ "maintainer can view" , test . UserMaintainer , "uuidNoTm" , false } ,
{ "maintainer can view" , test . UserMaintainer , "uuidMixTm1Tm2" , false } ,
{ "observer can view" , test . UserObserver , "uuidTm1" , false } ,
{ "observer can view" , test . UserObserver , "uuidTm2" , false } ,
{ "observer can view" , test . UserObserver , "uuidNoTm" , false } ,
{ "observer can view" , test . UserObserver , "uuidMixTm1Tm2" , false } ,
{ "observer+ can view" , test . UserObserverPlus , "uuidTm1" , false } ,
{ "observer+ can view" , test . UserObserverPlus , "uuidTm2" , false } ,
{ "observer+ can view" , test . UserObserverPlus , "uuidNoTm" , false } ,
{ "observer+ can view" , test . UserObserverPlus , "uuidMixTm1Tm2" , false } ,
{ "admin can view" , test . UserAdmin , "uuidTm1" , false } ,
{ "admin can view" , test . UserAdmin , "uuidTm2" , false } ,
{ "admin can view" , test . UserAdmin , "uuidNoTm" , false } ,
{ "admin can view" , test . UserAdmin , "uuidMixTm1Tm2" , false } ,
{ "tm1 maintainer can view tm1" , test . UserTeamMaintainerTeam1 , "uuidTm1" , false } ,
{ "tm1 maintainer cannot view tm2" , test . UserTeamMaintainerTeam1 , "uuidTm2" , true } ,
{ "tm1 maintainer cannot view no team" , test . UserTeamMaintainerTeam1 , "uuidNoTm" , true } ,
{ "tm1 maintainer cannot view mix" , test . UserTeamMaintainerTeam1 , "uuidMixTm1Tm2" , true } ,
{ "tm1 observer can view tm1" , test . UserTeamObserverTeam1 , "uuidTm1" , false } ,
{ "tm1 observer cannot view tm2" , test . UserTeamObserverTeam1 , "uuidTm2" , true } ,
{ "tm1 observer cannot view no team" , test . UserTeamObserverTeam1 , "uuidNoTm" , true } ,
{ "tm1 observer cannot view mix" , test . UserTeamObserverTeam1 , "uuidMixTm1Tm2" , true } ,
{ "tm1 observer+ can view tm1" , test . UserTeamObserverPlusTeam1 , "uuidTm1" , false } ,
{ "tm1 observer+ cannot view tm2" , test . UserTeamObserverPlusTeam1 , "uuidTm2" , true } ,
{ "tm1 observer+ cannot view no team" , test . UserTeamObserverPlusTeam1 , "uuidNoTm" , true } ,
{ "tm1 observer+ cannot view mix" , test . UserTeamObserverPlusTeam1 , "uuidMixTm1Tm2" , true } ,
{ "tm1 admin can view tm1" , test . UserTeamAdminTeam1 , "uuidTm1" , false } ,
{ "tm1 admin cannot view tm2" , test . UserTeamAdminTeam1 , "uuidTm2" , true } ,
{ "tm1 admin cannot view no team" , test . UserTeamAdminTeam1 , "uuidNoTm" , true } ,
{ "tm1 admin cannot view mix" , test . UserTeamAdminTeam1 , "uuidMixTm1Tm2" , true } ,
}
for _ , c := range cmdResultsCases {
t . Run ( c . desc , func ( t * testing . T ) {
ctx = test . UserContext ( ctx , c . user )
_ , err = svc . GetMDMAppleCommandResults ( ctx , c . cmdUUID )
checkAuthErr ( t , err , c . shoudFailWithAuth )
2023-11-01 14:13:12 +00:00
// TODO(sarah): move test to shared file
_ , err = svc . GetMDMCommandResults ( ctx , c . cmdUUID )
checkAuthErr ( t , err , c . shoudFailWithAuth )
2023-04-17 15:45:16 +00:00
} )
}
} )
t . Run ( "ListMDMAppleCommands" , func ( t * testing . T ) {
2023-11-01 14:13:12 +00:00
ds . ListMDMAppleCommandsFunc = func ( ctx context . Context , tmFilter fleet . TeamFilter , opt * fleet . MDMCommandListOptions ) ( [ ] * fleet . MDMAppleCommand , error ) {
2023-04-17 15:45:16 +00:00
return [ ] * fleet . MDMAppleCommand {
{ DeviceID : "no team" , TeamID : nil } ,
{ DeviceID : "tm1" , TeamID : ptr . Uint ( 1 ) } ,
{ DeviceID : "tm2" , TeamID : ptr . Uint ( 2 ) } ,
} , nil
}
listCmdsCases := [ ] struct {
2023-04-17 17:37:52 +00:00
desc string
user * fleet . User
want [ ] string // the expected device ids in the results
shouldFail bool // with forbidden error
2023-04-17 15:45:16 +00:00
} {
2023-04-17 17:37:52 +00:00
{ "no role" , test . UserNoRoles , [ ] string { } , true } ,
{ "maintainer can view" , test . UserMaintainer , [ ] string { "no team" , "tm1" , "tm2" } , false } ,
{ "observer can view" , test . UserObserver , [ ] string { "no team" , "tm1" , "tm2" } , false } ,
{ "observer+ can view" , test . UserObserverPlus , [ ] string { "no team" , "tm1" , "tm2" } , false } ,
{ "admin can view" , test . UserAdmin , [ ] string { "no team" , "tm1" , "tm2" } , false } ,
{ "tm1 maintainer can view tm1" , test . UserTeamMaintainerTeam1 , [ ] string { "tm1" } , false } ,
{ "tm1 observer can view tm1" , test . UserTeamObserverTeam1 , [ ] string { "tm1" } , false } ,
{ "tm1 observer+ can view tm1" , test . UserTeamObserverPlusTeam1 , [ ] string { "tm1" } , false } ,
{ "tm1 admin can view tm1" , test . UserTeamAdminTeam1 , [ ] string { "tm1" } , false } ,
2023-04-17 15:45:16 +00:00
}
for _ , c := range listCmdsCases {
t . Run ( c . desc , func ( t * testing . T ) {
ctx = test . UserContext ( ctx , c . user )
2023-11-01 14:13:12 +00:00
res , err := svc . ListMDMAppleCommands ( ctx , & fleet . MDMCommandListOptions { } )
2023-04-17 17:37:52 +00:00
checkAuthErr ( t , err , c . shouldFail )
if c . shouldFail {
return
}
2023-04-17 15:45:16 +00:00
got := make ( [ ] string , len ( res ) )
for i , r := range res {
got [ i ] = r . DeviceID
}
require . Equal ( t , c . want , got )
} )
}
} )
2022-10-05 22:53:54 +00:00
}
2022-12-23 17:55:17 +00:00
2023-02-17 15:28:28 +00:00
func TestMDMAppleConfigProfileAuthz ( t * testing . T ) {
2023-05-10 20:22:08 +00:00
svc , ctx , ds := setupAppleMDMService ( t , & fleet . LicenseInfo { Tier : fleet . TierPremium } )
2023-02-17 15:28:28 +00:00
2023-12-04 15:04:06 +00:00
profUUID := "a" + uuid . NewString ( )
2023-02-17 15:28:28 +00:00
testCases := [ ] struct {
name string
user * fleet . User
shouldFailGlobal bool
shouldFailTeam bool
} {
{
"global admin" ,
& fleet . User { GlobalRole : ptr . String ( fleet . RoleAdmin ) } ,
false ,
false ,
} ,
{
"global maintainer" ,
& fleet . User { GlobalRole : ptr . String ( fleet . RoleMaintainer ) } ,
false ,
false ,
} ,
{
"global observer" ,
& fleet . User { GlobalRole : ptr . String ( fleet . RoleObserver ) } ,
true ,
true ,
} ,
{
"team admin, belongs to team" ,
& fleet . User { Teams : [ ] fleet . UserTeam { { Team : fleet . Team { ID : 1 } , Role : fleet . RoleAdmin } } } ,
true ,
false ,
} ,
{
"team admin, DOES NOT belong to team" ,
& fleet . User { Teams : [ ] fleet . UserTeam { { Team : fleet . Team { ID : 2 } , Role : fleet . RoleAdmin } } } ,
true ,
true ,
} ,
{
"team maintainer, belongs to team" ,
& fleet . User { Teams : [ ] fleet . UserTeam { { Team : fleet . Team { ID : 1 } , Role : fleet . RoleMaintainer } } } ,
true ,
false ,
} ,
{
"team maintainer, DOES NOT belong to team" ,
& fleet . User { Teams : [ ] fleet . UserTeam { { Team : fleet . Team { ID : 2 } , Role : fleet . RoleMaintainer } } } ,
true ,
true ,
} ,
{
"team observer, belongs to team" ,
& fleet . User { Teams : [ ] fleet . UserTeam { { Team : fleet . Team { ID : 1 } , Role : fleet . RoleObserver } } } ,
true ,
true ,
} ,
{
"team observer, DOES NOT belong to team" ,
& fleet . User { Teams : [ ] fleet . UserTeam { { Team : fleet . Team { ID : 2 } , Role : fleet . RoleObserver } } } ,
true ,
true ,
} ,
{
"user no roles" ,
& fleet . User { ID : 1337 } ,
true ,
true ,
} ,
}
2025-08-10 10:24:38 +00:00
ds . NewMDMAppleConfigProfileFunc = func ( ctx context . Context , cp fleet . MDMAppleConfigProfile , usesVars [ ] fleet . FleetVarName ) ( * fleet . MDMAppleConfigProfile , error ) {
2023-02-17 15:28:28 +00:00
return & cp , nil
}
ds . ListMDMAppleConfigProfilesFunc = func ( ctx context . Context , teamID * uint ) ( [ ] * fleet . MDMAppleConfigProfile , error ) {
return nil , nil
}
2024-05-24 16:25:27 +00:00
ds . NewActivityFunc = func ( context . Context , * fleet . User , fleet . ActivityDetails , [ ] byte , time . Time ) error {
2023-02-17 15:28:28 +00:00
return nil
}
2023-11-17 16:49:30 +00:00
ds . GetMDMAppleProfilesSummaryFunc = func ( context . Context , * uint ) ( * fleet . MDMProfilesSummary , error ) {
2023-03-02 00:36:59 +00:00
return nil , nil
}
2024-08-30 21:00:35 +00:00
ds . BulkSetPendingMDMHostProfilesFunc = func ( ctx context . Context , hids , tids [ ] uint , puuids , uuids [ ] string ,
) ( updates fleet . MDMProfilesUpdates , err error ) {
return fleet . MDMProfilesUpdates { } , nil
2023-03-27 18:43:01 +00:00
}
2025-09-04 16:39:41 +00:00
ds . GetGroupedCertificateAuthoritiesFunc = func ( ctx context . Context , includeSecrets bool ) ( * fleet . GroupedCertificateAuthorities , error ) {
return & fleet . GroupedCertificateAuthorities { } , nil
}
2023-02-17 15:28:28 +00:00
mockGetFuncWithTeamID := func ( teamID uint ) mock . GetMDMAppleConfigProfileFunc {
2023-12-04 15:04:06 +00:00
return func ( ctx context . Context , puid string ) ( * fleet . MDMAppleConfigProfile , error ) {
require . Equal ( t , profUUID , puid )
2023-02-17 15:28:28 +00:00
return & fleet . MDMAppleConfigProfile { TeamID : & teamID } , nil
}
}
mockDeleteFuncWithTeamID := func ( teamID uint ) mock . DeleteMDMAppleConfigProfileFunc {
2023-12-04 15:04:06 +00:00
return func ( ctx context . Context , puid string ) error {
require . Equal ( t , profUUID , puid )
2023-02-17 15:28:28 +00:00
return nil
}
}
mockTeamFuncWithUser := func ( u * fleet . User ) mock . TeamFunc {
return func ( ctx context . Context , teamID uint ) ( * fleet . Team , error ) {
if len ( u . Teams ) > 0 {
for _ , t := range u . Teams {
if t . ID == teamID {
return & fleet . Team { ID : teamID , Users : [ ] fleet . TeamUser { { User : * u , Role : t . Role } } } , nil
}
}
}
return & fleet . Team { } , nil
}
}
checkShouldFail := func ( err error , shouldFail bool ) {
if ! shouldFail {
require . NoError ( t , err )
} else {
require . Error ( t , err )
require . Contains ( t , err . Error ( ) , authz . ForbiddenErrorMessage )
}
}
mcBytes := mcBytesForTest ( "Foo" , "Bar" , "UUID" )
for _ , tt := range testCases {
ctx := viewer . NewContext ( ctx , viewer . Viewer { User : tt . user } )
ds . TeamFunc = mockTeamFuncWithUser ( tt . user )
t . Run ( tt . name , func ( t * testing . T ) {
// test authz create new profile (no team)
2024-11-05 18:12:22 +00:00
_ , err := svc . NewMDMAppleConfigProfile ( ctx , 0 , bytes . NewReader ( mcBytes ) , nil , fleet . LabelsIncludeAll )
2023-02-17 15:28:28 +00:00
checkShouldFail ( err , tt . shouldFailGlobal )
// test authz create new profile (team 1)
2024-11-05 18:12:22 +00:00
_ , err = svc . NewMDMAppleConfigProfile ( ctx , 1 , bytes . NewReader ( mcBytes ) , nil , fleet . LabelsIncludeAll )
2023-02-17 15:28:28 +00:00
checkShouldFail ( err , tt . shouldFailTeam )
// test authz list profiles (no team)
_ , err = svc . ListMDMAppleConfigProfiles ( ctx , 0 )
checkShouldFail ( err , tt . shouldFailGlobal )
// test authz list profiles (team 1)
_ , err = svc . ListMDMAppleConfigProfiles ( ctx , 1 )
checkShouldFail ( err , tt . shouldFailTeam )
// test authz get config profile (no team)
ds . GetMDMAppleConfigProfileFunc = mockGetFuncWithTeamID ( 0 )
2023-12-04 15:04:06 +00:00
_ , err = svc . GetMDMAppleConfigProfile ( ctx , profUUID )
2023-02-17 15:28:28 +00:00
checkShouldFail ( err , tt . shouldFailGlobal )
// test authz delete config profile (no team)
ds . DeleteMDMAppleConfigProfileFunc = mockDeleteFuncWithTeamID ( 0 )
2023-12-04 15:04:06 +00:00
err = svc . DeleteMDMAppleConfigProfile ( ctx , profUUID )
2023-02-17 15:28:28 +00:00
checkShouldFail ( err , tt . shouldFailGlobal )
// test authz get config profile (team 1)
ds . GetMDMAppleConfigProfileFunc = mockGetFuncWithTeamID ( 1 )
2023-12-04 15:04:06 +00:00
_ , err = svc . GetMDMAppleConfigProfile ( ctx , profUUID )
2023-02-17 15:28:28 +00:00
checkShouldFail ( err , tt . shouldFailTeam )
// test authz delete config profile (team 1)
ds . DeleteMDMAppleConfigProfileFunc = mockDeleteFuncWithTeamID ( 1 )
2023-12-04 15:04:06 +00:00
err = svc . DeleteMDMAppleConfigProfile ( ctx , profUUID )
2023-02-17 15:28:28 +00:00
checkShouldFail ( err , tt . shouldFailTeam )
2023-03-02 00:36:59 +00:00
// test authz get profiles summary (no team)
_ , err = svc . GetMDMAppleProfilesSummary ( ctx , nil )
checkShouldFail ( err , tt . shouldFailGlobal )
// test authz get profiles summary (no team)
_ , err = svc . GetMDMAppleProfilesSummary ( ctx , ptr . Uint ( 1 ) )
checkShouldFail ( err , tt . shouldFailTeam )
2023-02-17 15:28:28 +00:00
} )
}
}
func TestNewMDMAppleConfigProfile ( t * testing . T ) {
2023-05-10 20:22:08 +00:00
svc , ctx , ds := setupAppleMDMService ( t , & fleet . LicenseInfo { Tier : fleet . TierPremium } )
2023-02-17 15:28:28 +00:00
ctx = viewer . NewContext ( ctx , viewer . Viewer { User : & fleet . User { GlobalRole : ptr . String ( fleet . RoleAdmin ) } } )
2024-10-11 16:15:11 +00:00
identifier := "Bar.$FLEET_VAR_HOST_END_USER_EMAIL_IDP"
mcBytes := mcBytesForTest ( "Foo" , identifier , "UUID" )
2023-02-17 15:28:28 +00:00
r := bytes . NewReader ( mcBytes )
2025-08-10 10:24:38 +00:00
ds . NewMDMAppleConfigProfileFunc = func ( ctx context . Context , cp fleet . MDMAppleConfigProfile , usesVars [ ] fleet . FleetVarName ) ( * fleet . MDMAppleConfigProfile , error ) {
2023-02-17 15:28:28 +00:00
require . Equal ( t , "Foo" , cp . Name )
2024-10-11 16:15:11 +00:00
assert . Equal ( t , identifier , cp . Identifier )
2023-02-17 15:28:28 +00:00
require . Equal ( t , mcBytes , [ ] byte ( cp . Mobileconfig ) )
return & cp , nil
}
2024-05-24 16:25:27 +00:00
ds . NewActivityFunc = func ( context . Context , * fleet . User , fleet . ActivityDetails , [ ] byte , time . Time ) error {
2023-02-17 15:28:28 +00:00
return nil
}
2024-08-30 21:00:35 +00:00
ds . BulkSetPendingMDMHostProfilesFunc = func ( ctx context . Context , hids , tids [ ] uint , puuids , uuids [ ] string ,
) ( updates fleet . MDMProfilesUpdates , err error ) {
return fleet . MDMProfilesUpdates { } , nil
2023-03-27 18:43:01 +00:00
}
2025-09-04 16:39:41 +00:00
ds . GetGroupedCertificateAuthoritiesFunc = func ( ctx context . Context , includeSecrets bool ) ( * fleet . GroupedCertificateAuthorities , error ) {
return & fleet . GroupedCertificateAuthorities { } , nil
}
2023-02-17 15:28:28 +00:00
2024-11-05 18:12:22 +00:00
cp , err := svc . NewMDMAppleConfigProfile ( ctx , 0 , r , nil , fleet . LabelsIncludeAll )
2023-02-17 15:28:28 +00:00
require . NoError ( t , err )
require . Equal ( t , "Foo" , cp . Name )
2024-10-11 16:15:11 +00:00
assert . Equal ( t , identifier , cp . Identifier )
2023-02-17 15:28:28 +00:00
require . Equal ( t , mcBytes , [ ] byte ( cp . Mobileconfig ) )
2024-10-11 16:15:11 +00:00
// Unsupported Fleet variable
mcBytes = mcBytesForTest ( "Foo" , identifier , "UUID${FLEET_VAR_BOZO}" )
r = bytes . NewReader ( mcBytes )
2024-11-05 18:12:22 +00:00
_ , err = svc . NewMDMAppleConfigProfile ( ctx , 0 , r , nil , fleet . LabelsIncludeAll )
2024-10-11 16:15:11 +00:00
assert . ErrorContains ( t , err , "Fleet variable" )
2025-08-22 14:37:12 +00:00
// Test profile with FLEET_SECRET in PayloadDisplayName
mcBytes = mcBytesForTest ( "Profile $FLEET_SECRET_PASSWORD" , "test.identifier" , "UUID" )
r = bytes . NewReader ( mcBytes )
_ , err = svc . NewMDMAppleConfigProfile ( ctx , 0 , r , nil , fleet . LabelsIncludeAll )
assert . ErrorContains ( t , err , "PayloadDisplayName cannot contain FLEET_SECRET variables" )
2023-02-17 15:28:28 +00:00
}
func mcBytesForTest ( name , identifier , uuid string ) [ ] byte {
return [ ] byte ( fmt . Sprintf ( ` < ? xml version = "1.0" encoding = "UTF-8" ? >
< ! DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd" >
< plist version = "1.0" >
< dict >
< key > PayloadContent < / key >
< array / >
< key > PayloadDisplayName < / key >
< string > % s < / string >
< key > PayloadIdentifier < / key >
< string > % s < / string >
< key > PayloadType < / key >
< string > Configuration < / string >
< key > PayloadUUID < / key >
< string > % s < / string >
< key > PayloadVersion < / key >
< integer > 1 < / integer >
< / dict >
< / plist >
` , name , identifier , uuid ) )
}
2025-08-22 14:37:12 +00:00
func TestBatchSetMDMAppleProfilesWithSecrets ( t * testing . T ) {
svc , ctx , _ := setupAppleMDMService ( t , & fleet . LicenseInfo { Tier : fleet . TierPremium } )
ctx = viewer . NewContext ( ctx , viewer . Viewer { User : & fleet . User { GlobalRole : ptr . String ( fleet . RoleAdmin ) } } )
// Test profile with FLEET_SECRET in PayloadDisplayName
profileWithSecret := mcBytesForTest ( "Profile $FLEET_SECRET_PASSWORD" , "test.identifier" , "UUID" )
err := svc . BatchSetMDMAppleProfiles ( ctx , nil , nil , [ ] [ ] byte { profileWithSecret } , false , false )
assert . ErrorContains ( t , err , "PayloadDisplayName cannot contain FLEET_SECRET variables" )
// Test multiple profiles where one has a secret in PayloadDisplayName
goodProfile := mcBytesForTest ( "Good Profile" , "good.identifier" , "UUID1" )
badProfile := mcBytesForTest ( "Bad $FLEET_SECRET_KEY Profile" , "bad.identifier" , "UUID2" )
err = svc . BatchSetMDMAppleProfiles ( ctx , nil , nil , [ ] [ ] byte { goodProfile , badProfile } , false , false )
assert . ErrorContains ( t , err , "PayloadDisplayName cannot contain FLEET_SECRET variables" )
assert . ErrorContains ( t , err , "profiles[1]" )
}
2024-10-11 16:15:11 +00:00
func TestNewMDMAppleDeclaration ( t * testing . T ) {
svc , ctx , ds := setupAppleMDMService ( t , & fleet . LicenseInfo { Tier : fleet . TierPremium } )
ctx = viewer . NewContext ( ctx , viewer . Viewer { User : & fleet . User { GlobalRole : ptr . String ( fleet . RoleAdmin ) } } )
// Unsupported Fleet variable
b := declBytesForTest ( "D1" , "d1content $FLEET_VAR_BOZO" )
2024-11-05 18:12:22 +00:00
_ , err := svc . NewMDMAppleDeclaration ( ctx , 0 , bytes . NewReader ( b ) , nil , "name" , fleet . LabelsIncludeAll )
2024-10-11 16:15:11 +00:00
assert . ErrorContains ( t , err , "Fleet variable" )
2025-08-06 12:38:25 +00:00
// decl type missing actual type
b = declarationForTestWithType ( "D1" , "com.apple.configuration" )
_ , err = svc . NewMDMAppleDeclaration ( ctx , 0 , bytes . NewReader ( b ) , nil , "name" , fleet . LabelsIncludeAll )
assert . ErrorContains ( t , err , "Only configuration declarations (com.apple.configuration.) are supported" )
2024-10-11 16:15:11 +00:00
ds . NewMDMAppleDeclarationFunc = func ( ctx context . Context , d * fleet . MDMAppleDeclaration ) ( * fleet . MDMAppleDeclaration , error ) {
return d , nil
}
ds . NewActivityFunc = func ( context . Context , * fleet . User , fleet . ActivityDetails , [ ] byte , time . Time ) error {
return nil
}
ds . BulkSetPendingMDMHostProfilesFunc = func ( ctx context . Context , hids , tids [ ] uint , puuids , uuids [ ] string ,
) ( updates fleet . MDMProfilesUpdates , err error ) {
return fleet . MDMProfilesUpdates { } , nil
}
// Good declaration
b = declBytesForTest ( "D1" , "d1content" )
2024-11-05 18:12:22 +00:00
d , err := svc . NewMDMAppleDeclaration ( ctx , 0 , bytes . NewReader ( b ) , nil , "name" , fleet . LabelsIncludeAll )
2024-10-11 16:15:11 +00:00
require . NoError ( t , err )
assert . NotNil ( t , d )
}
2025-04-08 14:35:06 +00:00
// Fragile test: This test is fragile because of the large reliance on Datastore mocks. Consider refactoring test/logic or removing the test. It may be slowing us down more than helping us.
2023-02-22 22:26:06 +00:00
func TestHostDetailsMDMProfiles ( t * testing . T ) {
2023-05-10 20:22:08 +00:00
svc , ctx , ds := setupAppleMDMService ( t , & fleet . LicenseInfo { Tier : fleet . TierPremium } )
2023-02-22 22:26:06 +00:00
ctx = viewer . NewContext ( ctx , viewer . Viewer { User : & fleet . User { GlobalRole : ptr . String ( fleet . RoleAdmin ) } } )
expected := [ ] fleet . HostMDMAppleProfile {
2023-12-04 15:04:06 +00:00
{ HostUUID : "H057-UU1D-1337" , Name : "NAME-5" , ProfileUUID : "a" + uuid . NewString ( ) , CommandUUID : "CMD-UU1D-5" , Status : & fleet . MDMDeliveryPending , OperationType : fleet . MDMOperationTypeInstall , Detail : "" } ,
{ HostUUID : "H057-UU1D-1337" , Name : "NAME-9" , ProfileUUID : "a" + uuid . NewString ( ) , CommandUUID : "CMD-UU1D-8" , Status : & fleet . MDMDeliveryVerifying , OperationType : fleet . MDMOperationTypeInstall , Detail : "" } ,
{ HostUUID : "H057-UU1D-1337" , Name : "NAME-13" , ProfileUUID : "a" + uuid . NewString ( ) , CommandUUID : "CMD-UU1D-13" , Status : & fleet . MDMDeliveryFailed , OperationType : fleet . MDMOperationTypeRemove , Detail : "Error removing profile" } ,
2023-02-22 22:26:06 +00:00
}
2023-11-20 20:34:57 +00:00
ds . GetHostMDMAppleProfilesFunc = func ( ctx context . Context , hostUUID string ) ( [ ] fleet . HostMDMAppleProfile , error ) {
2023-02-22 22:26:06 +00:00
if hostUUID == "H057-UU1D-1337" {
return expected , nil
}
return [ ] fleet . HostMDMAppleProfile { } , nil
}
ds . HostFunc = func ( ctx context . Context , hostID uint ) ( * fleet . Host , error ) {
if hostID == uint ( 42 ) {
2023-10-06 22:04:33 +00:00
return & fleet . Host { ID : uint ( 42 ) , UUID : "H057-UU1D-1337" , Platform : "darwin" } , nil
2023-02-22 22:26:06 +00:00
}
2023-10-06 22:04:33 +00:00
return & fleet . Host { ID : hostID , UUID : "WR0N6-UU1D" , Platform : "darwin" } , nil
2023-02-22 22:26:06 +00:00
}
ds . HostByIdentifierFunc = func ( ctx context . Context , identifier string ) ( * fleet . Host , error ) {
if identifier == "h0571d3n71f13r" {
2023-10-06 22:04:33 +00:00
return & fleet . Host { ID : uint ( 42 ) , UUID : "H057-UU1D-1337" , Platform : "darwin" } , nil
2023-02-22 22:26:06 +00:00
}
2023-10-06 22:04:33 +00:00
return & fleet . Host { ID : uint ( 21 ) , UUID : "WR0N6-UU1D" , Platform : "darwin" } , nil
2023-02-22 22:26:06 +00:00
}
ds . LoadHostSoftwareFunc = func ( ctx context . Context , host * fleet . Host , includeCVEScores bool ) error {
return nil
}
ds . ListLabelsForHostFunc = func ( ctx context . Context , hid uint ) ( [ ] * fleet . Label , error ) {
return nil , nil
}
ds . ListPacksForHostFunc = func ( ctx context . Context , hid uint ) ( packs [ ] * fleet . Pack , err error ) {
return nil , nil
}
ds . ListHostBatteriesFunc = func ( ctx context . Context , id uint ) ( [ ] * fleet . HostBattery , error ) {
return nil , nil
}
Add host's next maintenance window to the `hosts/{id}` and `hosts/identifier/{identifier}` endpoints, and render that data on the host details page (#19820)
## Addresses full stack for #18554
- Add new `timezone` column to `calendar_events` table
- When fetched from Google's API, save calendar user's timezone in this
new column along with rest of event data
- Implement datastore method to retrieve the start time and timezone for
a host's next calendar event as a `HostMaintenanceWindow`
- Localize and add UTC offset to the `HostMaintenanceWindow`'s start
time according to its `timezone`
- Include the processed `HostMaintenanceWindow`, if present, in the
response to the `GET` `hosts/{id}` and `hosts/identifier/{identifier}`
endpoints
- Implement UI on the host details page to display this data
- Add new and update existing UI, core integration, datastore, and
`fleetctl` tests
- Update `date-fns` package to the latest version
<img width="1062" alt="Screenshot 2024-06-26 at 1 02 34 PM"
src="https://github.com/fleetdm/fleet/assets/61553566/c3ddad97-23da-42c1-b4ed-b7615ec88aed">
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Changes file added for user-visible changes in `changes/`
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] Added/updated tests
- [x] If database migrations are included, checked table schema to
confirm autoupdate
- For database migrations:
- [x] Checked schema for all modified tables for columns that will
auto-update timestamps during migration.
- [x] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [x] Manual QA for all new/changed functionality
---------
Co-authored-by: Jacob Shandling <jacob@fleetdm.com>
2024-06-28 17:51:13 +00:00
ds . ListUpcomingHostMaintenanceWindowsFunc = func ( ctx context . Context , hid uint ) ( [ ] * fleet . HostMaintenanceWindow , error ) {
return nil , nil
}
2023-02-22 22:26:06 +00:00
ds . ListPoliciesForHostFunc = func ( ctx context . Context , host * fleet . Host ) ( [ ] * fleet . HostPolicy , error ) {
return nil , nil
}
2023-04-22 15:23:38 +00:00
ds . GetHostMDMMacOSSetupFunc = func ( ctx context . Context , hostID uint ) ( * fleet . HostMDMMacOSSetup , error ) {
return nil , nil
}
2024-02-26 16:31:00 +00:00
ds . GetHostLockWipeStatusFunc = func ( ctx context . Context , host * fleet . Host ) ( * fleet . HostLockWipeStatus , error ) {
2024-02-13 18:03:53 +00:00
return & fleet . HostLockWipeStatus { } , nil
}
2025-04-08 14:35:06 +00:00
ds . ScimUserByHostIDFunc = func ( ctx context . Context , hostID uint ) ( * fleet . ScimUser , error ) {
return nil , nil
}
ds . ListHostDeviceMappingFunc = func ( ctx context . Context , id uint ) ( [ ] * fleet . HostDeviceMapping , error ) {
return nil , nil
}
2025-05-20 20:41:38 +00:00
ds . GetHostIssuesLastUpdatedFunc = func ( ctx context . Context , hostId uint ) ( time . Time , error ) {
return time . Time { } , nil
}
ds . UpdateHostIssuesFailingPoliciesFunc = func ( ctx context . Context , hostIDs [ ] uint ) error {
return nil
}
2025-08-22 17:36:03 +00:00
ds . UpdateHostIssuesFailingPoliciesForSingleHostFunc = func ( ctx context . Context , hostID uint ) error {
return nil
}
2025-07-15 18:21:39 +00:00
ds . IsHostDiskEncryptionKeyArchivedFunc = func ( ctx context . Context , hostID uint ) ( bool , error ) {
return false , nil
}
2023-02-22 22:26:06 +00:00
2023-02-23 13:27:00 +00:00
expectedNilSlice := [ ] fleet . HostMDMAppleProfile ( nil )
expectedEmptySlice := [ ] fleet . HostMDMAppleProfile { }
2023-02-22 22:26:06 +00:00
cases := [ ] struct {
name string
mdmEnabled bool
hostID * uint
hostIdentifier * string
expected * [ ] fleet . HostMDMAppleProfile
} {
{
name : "TestGetHostMDMProfilesOK" ,
mdmEnabled : true ,
hostID : ptr . Uint ( 42 ) ,
hostIdentifier : nil ,
expected : & expected ,
} ,
{
name : "TestGetHostMDMProfilesEmpty" ,
2023-02-23 13:27:00 +00:00
mdmEnabled : true ,
2023-02-22 22:26:06 +00:00
hostID : ptr . Uint ( 21 ) ,
hostIdentifier : nil ,
2023-02-23 13:27:00 +00:00
expected : & expectedEmptySlice ,
2023-02-22 22:26:06 +00:00
} ,
{
name : "TestGetHostMDMProfilesNil" ,
mdmEnabled : false ,
hostID : ptr . Uint ( 42 ) ,
hostIdentifier : nil ,
2023-02-23 13:27:00 +00:00
expected : & expectedNilSlice ,
2023-02-22 22:26:06 +00:00
} ,
{
name : "TestHostByIdentifierMDMProfilesOK" ,
mdmEnabled : true ,
hostID : nil ,
hostIdentifier : ptr . String ( "h0571d3n71f13r" ) ,
expected : & expected ,
} ,
{
name : "TestHostByIdentifierMDMProfilesNil" ,
mdmEnabled : false ,
hostID : nil ,
hostIdentifier : ptr . String ( "h0571d3n71f13r" ) ,
2023-02-23 13:27:00 +00:00
expected : & expectedNilSlice ,
2023-02-22 22:26:06 +00:00
} ,
{
name : "TestHostByIdentifierMDMProfilesEmpty" ,
2023-02-23 13:27:00 +00:00
mdmEnabled : true ,
2023-02-22 22:26:06 +00:00
hostID : nil ,
hostIdentifier : ptr . String ( "4n07h3r1d3n71f13r" ) ,
2023-02-23 13:27:00 +00:00
expected : & expectedEmptySlice ,
2023-02-22 22:26:06 +00:00
} ,
}
for _ , c := range cases {
t . Run ( c . name , func ( t * testing . T ) {
ds . AppConfigFunc = func ( context . Context ) ( * fleet . AppConfig , error ) {
return & fleet . AppConfig { MDM : fleet . MDM { EnabledAndConfigured : c . mdmEnabled } } , nil
}
ds . AppConfigFuncInvoked = false
ds . HostFuncInvoked = false
ds . HostByIdentifierFuncInvoked = false
2023-11-20 20:34:57 +00:00
ds . GetHostMDMAppleProfilesFuncInvoked = false
2023-02-22 22:26:06 +00:00
var gotHost * fleet . HostDetail
if c . hostID != nil {
h , err := svc . GetHost ( ctx , * c . hostID , fleet . HostDetailOptions { } )
require . NoError ( t , err )
require . True ( t , ds . HostFuncInvoked )
gotHost = h
}
if c . hostIdentifier != nil {
h , err := svc . HostByIdentifier ( ctx , * c . hostIdentifier , fleet . HostDetailOptions { } )
require . NoError ( t , err )
require . True ( t , ds . HostByIdentifierFuncInvoked )
gotHost = h
}
require . NotNil ( t , gotHost )
require . True ( t , ds . AppConfigFuncInvoked )
if ! c . mdmEnabled {
2023-11-20 20:34:57 +00:00
var ep [ ] fleet . HostMDMProfile
switch c . expected {
case & expectedNilSlice :
ns := [ ] fleet . HostMDMProfile ( nil )
ep = ns
case & expectedEmptySlice :
ep = [ ] fleet . HostMDMProfile { }
default :
for _ , p := range * c . expected {
2024-05-28 22:17:14 +00:00
ep = append ( ep , p . ToHostMDMProfile ( gotHost . Platform ) )
2023-11-20 20:34:57 +00:00
}
}
require . Equal ( t , gotHost . MDM . Profiles , & ep )
2023-02-22 22:26:06 +00:00
return
}
2023-11-20 20:34:57 +00:00
require . True ( t , ds . GetHostMDMAppleProfilesFuncInvoked )
2023-02-22 22:26:06 +00:00
require . NotNil ( t , gotHost . MDM . Profiles )
2023-11-20 20:34:57 +00:00
ep := make ( [ ] fleet . HostMDMProfile , 0 , len ( * gotHost . MDM . Profiles ) )
for _ , p := range * c . expected {
2024-05-28 22:17:14 +00:00
ep = append ( ep , p . ToHostMDMProfile ( gotHost . Platform ) )
2023-11-20 20:34:57 +00:00
}
require . ElementsMatch ( t , ep , * gotHost . MDM . Profiles )
2023-02-22 22:26:06 +00:00
} )
}
}
2023-01-23 23:05:24 +00:00
func TestMDMCommandAuthz ( t * testing . T ) {
2023-05-10 20:22:08 +00:00
svc , ctx , ds := setupAppleMDMService ( t , & fleet . LicenseInfo { Tier : fleet . TierPremium } )
2023-01-23 23:05:24 +00:00
ds . HostLiteFunc = func ( ctx context . Context , hostID uint ) ( * fleet . Host , error ) {
switch hostID {
case 1 :
return & fleet . Host { UUID : "test-host-team-1" , TeamID : ptr . Uint ( 1 ) } , nil
default :
return & fleet . Host { UUID : "test-host-no-team" } , nil
}
}
ds . GetHostMDMCheckinInfoFunc = func ( ctx context . Context , hostUUID string ) ( * fleet . HostMDMCheckinInfo , error ) {
2024-05-28 22:17:14 +00:00
return & fleet . HostMDMCheckinInfo { Platform : "darwin" } , nil
2023-01-23 23:05:24 +00:00
}
2024-05-24 16:25:27 +00:00
ds . NewActivityFunc = func ( context . Context , * fleet . User , fleet . ActivityDetails , [ ] byte , time . Time ) error {
2023-01-23 23:05:24 +00:00
return nil
}
2024-04-29 19:43:15 +00:00
ds . MDMTurnOffFunc = func ( ctx context . Context , uuid string ) error {
return nil
}
2023-01-23 23:05:24 +00:00
var mdmEnabled atomic . Bool
2023-03-27 18:43:01 +00:00
ds . GetNanoMDMEnrollmentFunc = func ( ctx context . Context , hostUUID string ) ( * fleet . NanoEnrollment , error ) {
2023-01-23 23:05:24 +00:00
// This function is called twice during EnqueueMDMAppleCommandRemoveEnrollmentProfile.
// It first is called to check that the device is enrolled as a pre-condition to enqueueing the
// command. It is called second time after the command has been enqueued to check whether
// the device was successfully unenrolled.
//
// For each test run, the bool should be initialized to true to simulate an existing device
// that is initially enrolled to Fleet's MDM.
2023-03-27 18:43:01 +00:00
enroll := fleet . NanoEnrollment {
Enabled : mdmEnabled . Swap ( ! mdmEnabled . Load ( ) ) ,
}
return & enroll , nil
2023-01-23 23:05:24 +00:00
}
testCases := [ ] struct {
name string
user * fleet . User
shouldFailGlobal bool
shouldFailTeam bool
} {
{
"global admin" ,
& fleet . User { GlobalRole : ptr . String ( fleet . RoleAdmin ) } ,
false ,
false ,
} ,
{
"global maintainer" ,
& fleet . User { GlobalRole : ptr . String ( fleet . RoleMaintainer ) } ,
false ,
false ,
} ,
{
"global observer" ,
& fleet . User { GlobalRole : ptr . String ( fleet . RoleObserver ) } ,
true ,
true ,
} ,
{
"team admin, belongs to team" ,
& fleet . User { Teams : [ ] fleet . UserTeam { { Team : fleet . Team { ID : 1 } , Role : fleet . RoleAdmin } } } ,
true ,
false ,
} ,
{
"team admin, DOES NOT belong to team" ,
& fleet . User { Teams : [ ] fleet . UserTeam { { Team : fleet . Team { ID : 2 } , Role : fleet . RoleAdmin } } } ,
true ,
true ,
} ,
{
"team maintainer, belongs to team" ,
& fleet . User { Teams : [ ] fleet . UserTeam { { Team : fleet . Team { ID : 1 } , Role : fleet . RoleMaintainer } } } ,
true ,
false ,
} ,
{
"team maintainer, DOES NOT belong to team" ,
& fleet . User { Teams : [ ] fleet . UserTeam { { Team : fleet . Team { ID : 2 } , Role : fleet . RoleMaintainer } } } ,
true ,
true ,
} ,
{
"team observer, belongs to team" ,
& fleet . User { Teams : [ ] fleet . UserTeam { { Team : fleet . Team { ID : 1 } , Role : fleet . RoleObserver } } } ,
true ,
true ,
} ,
{
"team observer, DOES NOT belong to team" ,
& fleet . User { Teams : [ ] fleet . UserTeam { { Team : fleet . Team { ID : 2 } , Role : fleet . RoleObserver } } } ,
true ,
true ,
} ,
{
"user no roles" ,
& fleet . User { ID : 1337 } ,
true ,
true ,
} ,
}
for _ , tt := range testCases {
t . Run ( tt . name , func ( t * testing . T ) {
ctx := viewer . NewContext ( ctx , viewer . Viewer { User : tt . user } )
mdmEnabled . Store ( true )
err := svc . EnqueueMDMAppleCommandRemoveEnrollmentProfile ( ctx , 42 ) // global host
if ! tt . shouldFailGlobal {
require . NoError ( t , err )
} else {
require . Error ( t , err )
require . Contains ( t , err . Error ( ) , authz . ForbiddenErrorMessage )
}
mdmEnabled . Store ( true )
err = svc . EnqueueMDMAppleCommandRemoveEnrollmentProfile ( ctx , 1 ) // host belongs to team 1
if ! tt . shouldFailTeam {
require . NoError ( t , err )
} else {
require . Error ( t , err )
require . Contains ( t , err . Error ( ) , authz . ForbiddenErrorMessage )
}
} )
}
}
2024-03-04 19:53:16 +00:00
func TestMDMAuthenticateManualEnrollment ( t * testing . T ) {
2023-01-16 20:06:30 +00:00
ds := new ( mock . Store )
2024-04-29 19:43:15 +00:00
mdmLifecycle := mdmlifecycle . New ( ds , kitlog . NewNopLogger ( ) )
svc := MDMAppleCheckinAndCommandService {
ds : ds ,
mdmLifecycle : mdmLifecycle ,
}
2023-01-16 20:06:30 +00:00
ctx := context . Background ( )
uuid , serial , model := "ABC-DEF-GHI" , "XYZABC" , "MacBookPro 16,1"
2025-07-22 21:24:19 +00:00
ds . MDMAppleUpsertHostFunc = func ( ctx context . Context , mdmHost * fleet . Host , fromPersonalEnrollment bool ) error {
2024-04-29 19:43:15 +00:00
require . Equal ( t , uuid , mdmHost . UUID )
require . Equal ( t , serial , mdmHost . HardwareSerial )
require . Equal ( t , model , mdmHost . HardwareModel )
2025-07-22 21:24:19 +00:00
require . False ( t , fromPersonalEnrollment )
2023-01-16 20:06:30 +00:00
return nil
}
ds . GetHostMDMCheckinInfoFunc = func ( ct context . Context , hostUUID string ) ( * fleet . HostMDMCheckinInfo , error ) {
require . Equal ( t , uuid , hostUUID )
2024-03-04 19:53:16 +00:00
return & fleet . HostMDMCheckinInfo {
HardwareSerial : serial ,
DisplayName : fmt . Sprintf ( "%s (%s)" , model , serial ) ,
InstalledFromDEP : false ,
} , nil
2023-01-16 20:06:30 +00:00
}
2024-05-24 16:25:27 +00:00
ds . AppConfigFunc = func ( context . Context ) ( * fleet . AppConfig , error ) {
return & fleet . AppConfig { } , nil
}
ds . NewActivityFunc = func (
ctx context . Context , user * fleet . User , activity fleet . ActivityDetails , details [ ] byte , createdAt time . Time ,
) error {
2023-01-16 20:06:30 +00:00
a , ok := activity . ( * fleet . ActivityTypeMDMEnrolled )
require . True ( t , ok )
require . Nil ( t , user )
require . Equal ( t , "mdm_enrolled" , activity . ActivityName ( ) )
2025-07-22 21:24:19 +00:00
require . NotNil ( t , a . HostSerial )
2025-07-24 15:28:50 +00:00
require . Equal ( t , serial , * a . HostSerial )
require . Nil ( t , a . EnrollmentID )
2023-01-23 23:05:24 +00:00
require . Equal ( t , a . HostDisplayName , fmt . Sprintf ( "%s (%s)" , model , serial ) )
2023-01-16 20:06:30 +00:00
require . False ( t , a . InstalledFromDEP )
2023-07-06 18:33:40 +00:00
require . Equal ( t , fleet . MDMPlatformApple , a . MDMPlatform )
2023-01-16 20:06:30 +00:00
return nil
}
2025-05-19 18:29:46 +00:00
ds . MDMResetEnrollmentFunc = func ( ctx context . Context , hostUUID string , scepRenewalInProgress bool ) error {
2023-06-06 23:18:14 +00:00
require . Equal ( t , uuid , hostUUID )
return nil
}
2023-01-16 20:06:30 +00:00
err := svc . Authenticate (
2024-04-29 19:43:15 +00:00
& mdm . Request { Context : ctx , EnrollID : & mdm . EnrollID { ID : uuid } } ,
2023-01-16 20:06:30 +00:00
& mdm . Authenticate {
Enrollment : mdm . Enrollment {
UDID : uuid ,
} ,
SerialNumber : serial ,
Model : model ,
} ,
)
require . NoError ( t , err )
2024-04-29 19:43:15 +00:00
require . True ( t , ds . MDMAppleUpsertHostFuncInvoked )
2023-01-16 20:06:30 +00:00
require . True ( t , ds . GetHostMDMCheckinInfoFuncInvoked )
require . True ( t , ds . NewActivityFuncInvoked )
2024-04-29 19:43:15 +00:00
require . True ( t , ds . MDMResetEnrollmentFuncInvoked )
2023-01-16 20:06:30 +00:00
}
2024-03-04 19:53:16 +00:00
func TestMDMAuthenticateADE ( t * testing . T ) {
ds := new ( mock . Store )
2024-04-29 19:43:15 +00:00
mdmLifecycle := mdmlifecycle . New ( ds , kitlog . NewNopLogger ( ) )
svc := MDMAppleCheckinAndCommandService {
ds : ds ,
mdmLifecycle : mdmLifecycle ,
}
2024-03-04 19:53:16 +00:00
ctx := context . Background ( )
uuid , serial , model := "ABC-DEF-GHI" , "XYZABC" , "MacBookPro 16,1"
2025-07-22 21:24:19 +00:00
ds . MDMAppleUpsertHostFunc = func ( ctx context . Context , mdmHost * fleet . Host , fromPersonalEnrollment bool ) error {
2024-04-29 19:43:15 +00:00
require . Equal ( t , uuid , mdmHost . UUID )
require . Equal ( t , serial , mdmHost . HardwareSerial )
require . Equal ( t , model , mdmHost . HardwareModel )
2025-07-22 21:24:19 +00:00
require . False ( t , fromPersonalEnrollment )
2024-03-04 19:53:16 +00:00
return nil
}
ds . GetHostMDMCheckinInfoFunc = func ( ct context . Context , hostUUID string ) ( * fleet . HostMDMCheckinInfo , error ) {
require . Equal ( t , uuid , hostUUID )
return & fleet . HostMDMCheckinInfo {
HardwareSerial : serial ,
DisplayName : fmt . Sprintf ( "%s (%s)" , model , serial ) ,
DEPAssignedToFleet : true ,
} , nil
}
2024-05-24 16:25:27 +00:00
ds . AppConfigFunc = func ( context . Context ) ( * fleet . AppConfig , error ) {
return & fleet . AppConfig { } , nil
}
ds . NewActivityFunc = func (
ctx context . Context , user * fleet . User , activity fleet . ActivityDetails , details [ ] byte , createdAt time . Time ,
) error {
2024-03-04 19:53:16 +00:00
a , ok := activity . ( * fleet . ActivityTypeMDMEnrolled )
require . True ( t , ok )
require . Nil ( t , user )
require . Equal ( t , "mdm_enrolled" , activity . ActivityName ( ) )
2025-07-22 21:24:19 +00:00
require . NotNil ( t , a . HostSerial )
2025-07-24 15:28:50 +00:00
require . Equal ( t , serial , * a . HostSerial )
require . Nil ( t , a . EnrollmentID )
2024-03-04 19:53:16 +00:00
require . Equal ( t , a . HostDisplayName , fmt . Sprintf ( "%s (%s)" , model , serial ) )
require . True ( t , a . InstalledFromDEP )
require . Equal ( t , fleet . MDMPlatformApple , a . MDMPlatform )
return nil
}
2025-05-19 18:29:46 +00:00
ds . MDMResetEnrollmentFunc = func ( ctx context . Context , hostUUID string , scepRenewalInProgress bool ) error {
2024-03-04 19:53:16 +00:00
require . Equal ( t , uuid , hostUUID )
return nil
}
err := svc . Authenticate (
2024-04-29 19:43:15 +00:00
& mdm . Request { Context : ctx , EnrollID : & mdm . EnrollID { ID : uuid } } ,
2024-03-04 19:53:16 +00:00
& mdm . Authenticate {
Enrollment : mdm . Enrollment {
UDID : uuid ,
} ,
SerialNumber : serial ,
Model : model ,
} ,
)
require . NoError ( t , err )
2024-04-29 19:43:15 +00:00
require . True ( t , ds . MDMAppleUpsertHostFuncInvoked )
2024-03-04 19:53:16 +00:00
require . True ( t , ds . GetHostMDMCheckinInfoFuncInvoked )
require . True ( t , ds . NewActivityFuncInvoked )
2024-04-29 19:43:15 +00:00
require . True ( t , ds . MDMResetEnrollmentFuncInvoked )
2024-03-04 19:53:16 +00:00
}
func TestMDMAuthenticateSCEPRenewal ( t * testing . T ) {
ds := new ( mock . Store )
2024-04-29 19:43:15 +00:00
mdmLifecycle := mdmlifecycle . New ( ds , kitlog . NewNopLogger ( ) )
svc := MDMAppleCheckinAndCommandService {
ds : ds ,
mdmLifecycle : mdmLifecycle ,
logger : kitlog . NewNopLogger ( ) ,
}
2024-03-04 19:53:16 +00:00
ctx := context . Background ( )
uuid , serial , model := "ABC-DEF-GHI" , "XYZABC" , "MacBookPro 16,1"
ds . GetHostMDMCheckinInfoFunc = func ( ct context . Context , hostUUID string ) ( * fleet . HostMDMCheckinInfo , error ) {
require . Equal ( t , uuid , hostUUID )
return & fleet . HostMDMCheckinInfo {
HardwareSerial : serial ,
DisplayName : fmt . Sprintf ( "%s (%s)" , model , serial ) ,
SCEPRenewalInProgress : true ,
} , nil
}
2024-05-24 16:25:27 +00:00
ds . NewActivityFunc = func (
ctx context . Context , user * fleet . User , activity fleet . ActivityDetails , details [ ] byte , createdAt time . Time ,
) error {
2024-03-04 19:53:16 +00:00
return nil
}
2025-05-19 18:29:46 +00:00
ds . MDMResetEnrollmentFunc = func ( ctx context . Context , hostUUID string , scepRenewalInProgress bool ) error {
require . Equal ( t , uuid , hostUUID )
require . True ( t , scepRenewalInProgress )
2024-03-04 19:53:16 +00:00
return nil
}
2025-07-22 21:24:19 +00:00
ds . MDMAppleUpsertHostFunc = func ( ctx context . Context , mdmHost * fleet . Host , fromPersonalEnrollment bool ) error {
require . Equal ( t , uuid , mdmHost . UUID )
require . Equal ( t , serial , mdmHost . HardwareSerial )
require . Equal ( t , model , mdmHost . HardwareModel )
require . False ( t , fromPersonalEnrollment )
2024-03-04 19:53:16 +00:00
return nil
}
err := svc . Authenticate (
& mdm . Request { Context : ctx , EnrollID : & mdm . EnrollID { ID : uuid } } ,
& mdm . Authenticate {
Enrollment : mdm . Enrollment {
UDID : uuid ,
} ,
SerialNumber : serial ,
Model : model ,
} ,
)
require . NoError ( t , err )
2024-04-29 19:43:15 +00:00
require . False ( t , ds . MDMAppleUpsertHostFuncInvoked )
2024-03-04 19:53:16 +00:00
require . True ( t , ds . GetHostMDMCheckinInfoFuncInvoked )
require . False ( t , ds . NewActivityFuncInvoked )
2025-05-19 18:29:46 +00:00
require . True ( t , ds . MDMResetEnrollmentFuncInvoked )
2024-03-04 19:53:16 +00:00
}
2025-09-15 06:08:22 +00:00
func TestMDMUnenrollment ( t * testing . T ) {
svc , ctx , ds := setupAppleMDMService ( t , & fleet . LicenseInfo { Tier : fleet . TierPremium } )
ctx = viewer . NewContext ( ctx , viewer . Viewer { User : & fleet . User { ID : 1 , GlobalRole : ptr . String ( fleet . RoleAdmin ) } } )
ds . HostLiteFunc = func ( ctx context . Context , hostID uint ) ( * fleet . Host , error ) {
switch hostID {
case 1 :
return & fleet . Host { UUID : "test-host-no-team-2" } , nil
default :
return & fleet . Host { UUID : "test-host-no-team" } , nil
}
}
ds . GetHostMDMCheckinInfoFunc = func ( ctx context . Context , hostUUID string ) ( * fleet . HostMDMCheckinInfo , error ) {
return & fleet . HostMDMCheckinInfo { Platform : "darwin" } , nil
}
ds . NewActivityFunc = func ( context . Context , * fleet . User , fleet . ActivityDetails , [ ] byte , time . Time ) error {
return nil
}
ds . MDMTurnOffFunc = func ( ctx context . Context , uuid string ) error {
return nil
}
ds . GetNanoMDMEnrollmentFunc = func ( ctx context . Context , hostUUID string ) ( * fleet . NanoEnrollment , error ) {
enrollmentType := mdm . EnrollType ( mdm . Device ) . String ( )
if hostUUID == "test-host-no-team-2" {
enrollmentType = mdm . EnrollType ( mdm . UserEnrollmentDevice ) . String ( )
}
enroll := fleet . NanoEnrollment {
Enabled : true ,
Type : enrollmentType ,
}
return & enroll , nil
}
t . Run ( "Unenrolls macos device" , func ( t * testing . T ) {
err := svc . EnqueueMDMAppleCommandRemoveEnrollmentProfile ( ctx , 42 ) // global host
require . NoError ( t , err )
} )
t . Run ( "Unenrolls personal ios device" , func ( t * testing . T ) {
err := svc . EnqueueMDMAppleCommandRemoveEnrollmentProfile ( ctx , 1 ) // personal host
require . NoError ( t , err )
} )
}
2023-04-05 23:52:26 +00:00
func TestMDMTokenUpdate ( t * testing . T ) {
ctx := context . Background ( )
ds := new ( mock . Store )
2024-05-30 21:18:42 +00:00
mdmStorage := & mdmmock . MDMAppleStore { }
2023-04-05 23:52:26 +00:00
pushFactory , _ := newMockAPNSPushProviderFactory ( )
pusher := nanomdm_pushsvc . New (
mdmStorage ,
mdmStorage ,
pushFactory ,
NewNanoMDMLogger ( kitlog . NewJSONLogger ( os . Stdout ) ) ,
)
2024-05-30 21:18:42 +00:00
cmdr := apple_mdm . NewMDMAppleCommander ( mdmStorage , pusher )
2024-04-29 19:43:15 +00:00
mdmLifecycle := mdmlifecycle . New ( ds , kitlog . NewNopLogger ( ) )
svc := MDMAppleCheckinAndCommandService {
ds : ds ,
mdmLifecycle : mdmLifecycle ,
commander : cmdr ,
logger : kitlog . NewNopLogger ( ) ,
}
2023-04-07 20:31:02 +00:00
uuid , serial , model , wantTeamID := "ABC-DEF-GHI" , "XYZABC" , "MacBookPro 16,1" , uint ( 12 )
2023-04-05 23:52:26 +00:00
ds . GetNanoMDMEnrollmentFunc = func ( ctx context . Context , hostUUID string ) ( * fleet . NanoEnrollment , error ) {
return & fleet . NanoEnrollment { Enabled : true , Type : "Device" , TokenUpdateTally : 1 } , nil
}
ds . GetHostMDMCheckinInfoFunc = func ( ct context . Context , hostUUID string ) ( * fleet . HostMDMCheckinInfo , error ) {
require . Equal ( t , uuid , hostUUID )
return & fleet . HostMDMCheckinInfo {
Skip setup experience during AxM based migrations (#32822)
Fixes #32096
The gist of the fix is that when syncing devices from DEP we save the
migration deadline to our host_dep_assignments table. The next
enrollment, which we assume should be the migration, looks at
host_dep_assignments, sees that mdm_migration_deadline is non-Null and
mdm_migration_completed is NULL, and uses that as the signal that a
migration is in progress and skips enqueuing setup experience items. It
then marks the migration as complete which sets mdm_migration_completed
= mdm_migration_deadline. Once this is set setup experience will run as
normal unless mdm_migration_completed gets set to NULL and/or
mdm_migration_deadline gets set to a value in the future(which e.g.
would happen if the customer assigned to another MDM server then
assigned to migrate to fleet again)
DB test failure is expected here because it won't like the migration
timestamp but that is a necessary failure because this fix is going to
be backported into 4.73
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually
For unreleased bug fixes in a release candidate, one of:
- [x] Confirmed that the fix is not expected to adversely impact load
test results
- [x] Alerted the release DRI if additional load testing is needed
## Database migrations
- [x] Checked table schema to confirm autoupdate
- [x] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [x] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [x] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* New Features
* Tracks and stores Apple DEP MDM migration deadlines per device/host.
* Detects “migration in progress” during DEP sync and check-in.
* Automatically marks migration complete and skips Setup Assistant items
while migration is in progress to prevent conflicts.
* Bug Fixes
* Improved DEP compatibility by updating the protocol version and
User-Agent used for Apple’s APIs, reducing the chance of blocked or
rejected requests.
* Migrations
* Adds fields to support migration deadlines and completion status (no
action required).
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Magnus Jensen <magnus@fleetdm.com>
2025-09-11 13:40:40 +00:00
HostID : 1337 ,
2023-09-23 00:54:45 +00:00
HardwareSerial : serial ,
DisplayName : model ,
InstalledFromDEP : true ,
TeamID : wantTeamID ,
DEPAssignedToFleet : true ,
2024-05-28 22:17:14 +00:00
Platform : "darwin" ,
2023-04-05 23:52:26 +00:00
} , nil
2025-05-19 18:29:46 +00:00
}
ds . GetMDMIdPAccountByHostUUIDFunc = func ( ctx context . Context , hostUUID string ) ( * fleet . MDMIdPAccount , error ) {
require . Equal ( t , uuid , hostUUID )
return & fleet . MDMIdPAccount {
UUID : "some-uuid" ,
Username : "some-user" ,
Email : "some-user@example.com" ,
Fullname : "Some User" ,
} , nil
2023-04-05 23:52:26 +00:00
}
2023-06-05 15:58:23 +00:00
ds . NewJobFunc = func ( ctx context . Context , j * fleet . Job ) ( * fleet . Job , error ) {
return j , nil
2023-05-18 15:50:00 +00:00
}
2023-04-22 15:23:38 +00:00
2023-04-05 23:52:26 +00:00
err := svc . TokenUpdate (
& mdm . Request { Context : ctx , EnrollID : & mdm . EnrollID { ID : uuid } } ,
& mdm . TokenUpdate {
Enrollment : mdm . Enrollment {
UDID : uuid ,
} ,
} ,
)
require . NoError ( t , err )
require . True ( t , ds . GetHostMDMCheckinInfoFuncInvoked )
2023-06-05 15:58:23 +00:00
require . True ( t , ds . NewJobFuncInvoked )
2023-05-18 15:50:00 +00:00
ds . GetHostMDMCheckinInfoFuncInvoked = false
2023-06-05 15:58:23 +00:00
ds . NewJobFuncInvoked = false
2023-05-18 15:50:00 +00:00
// with enrollment reference
err = svc . TokenUpdate (
& mdm . Request {
Context : ctx ,
EnrollID : & mdm . EnrollID { ID : uuid } ,
2023-06-05 15:58:23 +00:00
Params : map [ string ] string { "enroll_reference" : "abcd" } ,
2023-05-18 15:50:00 +00:00
} ,
& mdm . TokenUpdate {
Enrollment : mdm . Enrollment {
UDID : uuid ,
} ,
} ,
)
require . NoError ( t , err )
require . True ( t , ds . GetHostMDMCheckinInfoFuncInvoked )
2023-06-05 15:58:23 +00:00
require . True ( t , ds . NewJobFuncInvoked )
Skip setup experience during AxM based migrations (#32822)
Fixes #32096
The gist of the fix is that when syncing devices from DEP we save the
migration deadline to our host_dep_assignments table. The next
enrollment, which we assume should be the migration, looks at
host_dep_assignments, sees that mdm_migration_deadline is non-Null and
mdm_migration_completed is NULL, and uses that as the signal that a
migration is in progress and skips enqueuing setup experience items. It
then marks the migration as complete which sets mdm_migration_completed
= mdm_migration_deadline. Once this is set setup experience will run as
normal unless mdm_migration_completed gets set to NULL and/or
mdm_migration_deadline gets set to a value in the future(which e.g.
would happen if the customer assigned to another MDM server then
assigned to migrate to fleet again)
DB test failure is expected here because it won't like the migration
timestamp but that is a necessary failure because this fix is going to
be backported into 4.73
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually
For unreleased bug fixes in a release candidate, one of:
- [x] Confirmed that the fix is not expected to adversely impact load
test results
- [x] Alerted the release DRI if additional load testing is needed
## Database migrations
- [x] Checked table schema to confirm autoupdate
- [x] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [x] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [x] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* New Features
* Tracks and stores Apple DEP MDM migration deadlines per device/host.
* Detects “migration in progress” during DEP sync and check-in.
* Automatically marks migration complete and skips Setup Assistant items
while migration is in progress to prevent conflicts.
* Bug Fixes
* Improved DEP compatibility by updating the protocol version and
User-Agent used for Apple’s APIs, reducing the chance of blocked or
rejected requests.
* Migrations
* Adds fields to support migration deadlines and completion status (no
action required).
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Magnus Jensen <magnus@fleetdm.com>
2025-09-11 13:40:40 +00:00
// With AwaitingConfiguration - should check for and enqueue SetupExperience items
ds . EnqueueSetupExperienceItemsFunc = func ( ctx context . Context , hostPlatformLike string , hostUUID string , teamID uint ) ( bool , error ) {
require . Equal ( t , "darwin" , hostPlatformLike )
require . Equal ( t , uuid , hostUUID )
require . Equal ( t , wantTeamID , teamID )
return true , nil
}
err = svc . TokenUpdate (
& mdm . Request {
Context : ctx ,
EnrollID : & mdm . EnrollID { ID : uuid } ,
Params : map [ string ] string { "enroll_reference" : "abcd" } ,
} ,
& mdm . TokenUpdate {
Enrollment : mdm . Enrollment {
AwaitingConfiguration : true ,
UDID : uuid ,
} ,
} ,
)
require . NoError ( t , err )
require . True ( t , ds . EnqueueSetupExperienceItemsFuncInvoked )
ds . GetHostMDMCheckinInfoFunc = func ( ct context . Context , hostUUID string ) ( * fleet . HostMDMCheckinInfo , error ) {
require . Equal ( t , uuid , hostUUID )
return & fleet . HostMDMCheckinInfo {
HostID : 1337 ,
HardwareSerial : serial ,
DisplayName : model ,
InstalledFromDEP : true ,
TeamID : wantTeamID ,
DEPAssignedToFleet : true ,
Platform : "darwin" ,
MigrationInProgress : true ,
} , nil
}
ds . SetHostMDMMigrationCompletedFunc = func ( ctx context . Context , hostID uint ) error {
require . Equal ( t , uint ( 1337 ) , hostID )
return nil
}
ds . EnqueueSetupExperienceItemsFuncInvoked = false
err = svc . TokenUpdate (
& mdm . Request {
Context : ctx ,
EnrollID : & mdm . EnrollID { ID : uuid } ,
Params : map [ string ] string { "enroll_reference" : "abcd" } ,
} ,
& mdm . TokenUpdate {
Enrollment : mdm . Enrollment {
AwaitingConfiguration : true ,
UDID : uuid ,
} ,
} ,
)
require . NoError ( t , err )
// Should NOT call the setup experience enqueue function but it should mark the migration complete
require . False ( t , ds . EnqueueSetupExperienceItemsFuncInvoked )
require . True ( t , ds . SetHostMDMMigrationCompletedFuncInvoked )
ds . SetHostMDMMigrationCompletedFuncInvoked = false
err = svc . TokenUpdate (
& mdm . Request {
Context : ctx ,
EnrollID : & mdm . EnrollID { ID : uuid } ,
Params : map [ string ] string { "enroll_reference" : "abcd" } ,
} ,
& mdm . TokenUpdate {
Enrollment : mdm . Enrollment {
UDID : uuid ,
} ,
} ,
)
require . NoError ( t , err )
// Should NOT call the setup experience enqueue function but it should mark the migration complete
require . False ( t , ds . EnqueueSetupExperienceItemsFuncInvoked )
require . True ( t , ds . SetHostMDMMigrationCompletedFuncInvoked )
2023-04-05 23:52:26 +00:00
}
2023-01-16 20:06:30 +00:00
func TestMDMCheckout ( t * testing . T ) {
ds := new ( mock . Store )
2024-04-29 19:43:15 +00:00
mdmLifecycle := mdmlifecycle . New ( ds , kitlog . NewNopLogger ( ) )
svc := MDMAppleCheckinAndCommandService {
ds : ds ,
mdmLifecycle : mdmLifecycle ,
logger : kitlog . NewNopLogger ( ) ,
}
2023-01-16 20:06:30 +00:00
ctx := context . Background ( )
2023-01-23 23:05:24 +00:00
uuid , serial , installedFromDEP , displayName := "ABC-DEF-GHI" , "XYZABC" , true , "Test's MacBook"
2023-01-16 20:06:30 +00:00
2024-04-29 19:43:15 +00:00
ds . MDMTurnOffFunc = func ( ctx context . Context , hostUUID string ) error {
2023-01-16 20:06:30 +00:00
require . Equal ( t , uuid , hostUUID )
return nil
}
ds . GetHostMDMCheckinInfoFunc = func ( ct context . Context , hostUUID string ) ( * fleet . HostMDMCheckinInfo , error ) {
require . Equal ( t , uuid , hostUUID )
return & fleet . HostMDMCheckinInfo {
HardwareSerial : serial ,
2023-01-23 23:05:24 +00:00
DisplayName : displayName ,
2023-01-16 20:06:30 +00:00
InstalledFromDEP : installedFromDEP ,
2024-05-28 22:17:14 +00:00
Platform : "darwin" ,
2023-01-16 20:06:30 +00:00
} , nil
}
2024-05-24 16:25:27 +00:00
ds . AppConfigFunc = func ( context . Context ) ( * fleet . AppConfig , error ) {
return & fleet . AppConfig { } , nil
}
ds . NewActivityFunc = func (
ctx context . Context , user * fleet . User , activity fleet . ActivityDetails , details [ ] byte , createdAt time . Time ,
) error {
2023-01-16 20:06:30 +00:00
a , ok := activity . ( * fleet . ActivityTypeMDMUnenrolled )
require . True ( t , ok )
require . Nil ( t , user )
require . Equal ( t , "mdm_unenrolled" , activity . ActivityName ( ) )
require . Equal ( t , serial , a . HostSerial )
2023-01-23 23:05:24 +00:00
require . Equal ( t , displayName , a . HostDisplayName )
2023-01-16 20:06:30 +00:00
require . True ( t , a . InstalledFromDEP )
return nil
}
err := svc . CheckOut (
2024-04-29 19:43:15 +00:00
& mdm . Request {
Context : ctx ,
EnrollID : & mdm . EnrollID { ID : uuid } ,
} ,
2023-01-16 20:06:30 +00:00
& mdm . CheckOut {
Enrollment : mdm . Enrollment {
UDID : uuid ,
} ,
} ,
)
require . NoError ( t , err )
2024-04-29 19:43:15 +00:00
require . True ( t , ds . MDMTurnOffFuncInvoked )
2023-01-16 20:06:30 +00:00
require . True ( t , ds . GetHostMDMCheckinInfoFuncInvoked )
require . True ( t , ds . NewActivityFuncInvoked )
}
2023-02-15 18:01:44 +00:00
2023-02-22 17:49:06 +00:00
func TestMDMCommandAndReportResultsProfileHandling ( t * testing . T ) {
ctx := context . Background ( )
hostUUID := "ABC-DEF-GHI"
commandUUID := "COMMAND-UUID"
2023-09-12 14:59:47 +00:00
profileIdentifier := "PROFILE-IDENTIFIER"
2023-02-22 17:49:06 +00:00
cases := [ ] struct {
status string
requestType string
errors [ ] mdm . ErrorChain
want * fleet . HostMDMAppleProfile
2023-09-12 14:59:47 +00:00
prevRetries uint
2023-02-22 17:49:06 +00:00
} {
{
status : "Acknowledged" ,
requestType : "InstallProfile" ,
errors : nil ,
want : & fleet . HostMDMAppleProfile {
2023-11-07 21:03:03 +00:00
Status : & fleet . MDMDeliveryVerifying ,
2023-02-22 17:49:06 +00:00
Detail : "" ,
2023-11-07 21:03:03 +00:00
OperationType : fleet . MDMOperationTypeInstall ,
2023-02-22 17:49:06 +00:00
} ,
} ,
{
status : "Acknowledged" ,
requestType : "RemoveProfile" ,
errors : nil ,
want : & fleet . HostMDMAppleProfile {
2023-11-07 21:03:03 +00:00
Status : & fleet . MDMDeliveryVerifying ,
2023-02-22 17:49:06 +00:00
Detail : "" ,
2023-11-07 21:03:03 +00:00
OperationType : fleet . MDMOperationTypeRemove ,
2023-02-22 17:49:06 +00:00
} ,
} ,
{
status : "Error" ,
requestType : "InstallProfile" ,
errors : [ ] mdm . ErrorChain {
{ ErrorCode : 123 , ErrorDomain : "testDomain" , USEnglishDescription : "testMessage" } ,
} ,
2023-09-12 14:59:47 +00:00
prevRetries : 0 , // expect to retry
want : & fleet . HostMDMAppleProfile {
2023-11-07 21:03:03 +00:00
Status : & fleet . MDMDeliveryPending ,
2023-09-12 14:59:47 +00:00
Detail : "" ,
2023-11-07 21:03:03 +00:00
OperationType : fleet . MDMOperationTypeInstall ,
2023-09-12 14:59:47 +00:00
} ,
} ,
{
status : "Error" ,
requestType : "InstallProfile" ,
errors : [ ] mdm . ErrorChain {
{ ErrorCode : 123 , ErrorDomain : "testDomain" , USEnglishDescription : "testMessage" } ,
} ,
prevRetries : 1 , // expect to fail
2023-02-22 17:49:06 +00:00
want : & fleet . HostMDMAppleProfile {
2023-11-07 21:03:03 +00:00
Status : & fleet . MDMDeliveryFailed ,
2023-02-22 17:49:06 +00:00
Detail : "testDomain (123): testMessage\n" ,
2023-11-07 21:03:03 +00:00
OperationType : fleet . MDMOperationTypeInstall ,
2023-02-22 17:49:06 +00:00
} ,
} ,
{
status : "Error" ,
requestType : "RemoveProfile" ,
errors : [ ] mdm . ErrorChain {
{ ErrorCode : 123 , ErrorDomain : "testDomain" , USEnglishDescription : "testMessage" } ,
{ ErrorCode : 321 , ErrorDomain : "domainTest" , USEnglishDescription : "messageTest" } ,
} ,
want : & fleet . HostMDMAppleProfile {
2023-11-07 21:03:03 +00:00
Status : & fleet . MDMDeliveryFailed ,
2023-02-22 17:49:06 +00:00
Detail : "testDomain (123): testMessage\ndomainTest (321): messageTest\n" ,
2023-11-07 21:03:03 +00:00
OperationType : fleet . MDMOperationTypeRemove ,
2023-02-22 17:49:06 +00:00
} ,
} ,
{
status : "Error" ,
requestType : "RemoveProfile" ,
errors : nil ,
want : & fleet . HostMDMAppleProfile {
2023-11-07 21:03:03 +00:00
Status : & fleet . MDMDeliveryFailed ,
2023-02-22 17:49:06 +00:00
Detail : "" ,
2023-11-07 21:03:03 +00:00
OperationType : fleet . MDMOperationTypeRemove ,
2023-02-22 17:49:06 +00:00
} ,
} ,
}
2023-09-12 14:59:47 +00:00
for i , c := range cases {
t . Run ( fmt . Sprintf ( "%s%s-%d" , c . requestType , c . status , i ) , func ( t * testing . T ) {
ds := new ( mock . Store )
svc := MDMAppleCheckinAndCommandService { ds : ds }
ds . GetMDMAppleCommandRequestTypeFunc = func ( ctx context . Context , targetCmd string ) ( string , error ) {
require . Equal ( t , commandUUID , targetCmd )
return c . requestType , nil
}
ds . UpdateOrDeleteHostMDMAppleProfileFunc = func ( ctx context . Context , profile * fleet . HostMDMAppleProfile ) error {
c . want . CommandUUID = commandUUID
c . want . HostUUID = hostUUID
require . Equal ( t , c . want , profile )
return nil
}
2023-11-30 12:17:07 +00:00
ds . GetHostMDMProfileRetryCountByCommandUUIDFunc = func ( ctx context . Context , host * fleet . Host , cmdUUID string ) ( fleet . HostMDMProfileRetryCount , error ) {
require . Equal ( t , hostUUID , host . UUID )
2023-09-12 14:59:47 +00:00
require . Equal ( t , commandUUID , cmdUUID )
return fleet . HostMDMProfileRetryCount { ProfileIdentifier : profileIdentifier , Retries : c . prevRetries } , nil
}
2023-11-30 12:17:07 +00:00
ds . UpdateHostMDMProfilesVerificationFunc = func ( ctx context . Context , host * fleet . Host , toVerify , toFail , toRetry [ ] string ) error {
require . Equal ( t , hostUUID , host . UUID )
2023-09-12 14:59:47 +00:00
require . Nil ( t , toVerify )
require . Nil ( t , toFail )
require . ElementsMatch ( t , toRetry , [ ] string { profileIdentifier } )
return nil
}
2023-02-22 17:49:06 +00:00
2023-09-12 14:59:47 +00:00
_ , err := svc . CommandAndReportResults (
& mdm . Request { Context : ctx } ,
& mdm . CommandResults {
Enrollment : mdm . Enrollment { UDID : hostUUID } ,
CommandUUID : commandUUID ,
Status : c . status ,
ErrorChain : c . errors ,
} ,
)
require . NoError ( t , err )
require . True ( t , ds . GetMDMAppleCommandRequestTypeFuncInvoked )
var shouldCheckCount , shouldRetry , shouldUpdateOrDelete bool
if c . requestType == "InstallProfile" && c . status == "Error" {
shouldCheckCount = true
}
if shouldCheckCount && c . prevRetries == uint ( 0 ) {
shouldRetry = true
}
if c . requestType == "RemoveProfile" || ( c . requestType == "InstallProfile" && ! shouldRetry ) {
shouldUpdateOrDelete = true
}
require . Equal ( t , shouldCheckCount , ds . GetHostMDMProfileRetryCountByCommandUUIDFuncInvoked )
require . Equal ( t , shouldRetry , ds . UpdateHostMDMProfilesVerificationFuncInvoked )
require . Equal ( t , shouldUpdateOrDelete , ds . UpdateOrDeleteHostMDMAppleProfileFuncInvoked )
} )
2023-02-22 17:49:06 +00:00
}
}
2023-02-15 18:01:44 +00:00
func TestMDMBatchSetAppleProfiles ( t * testing . T ) {
2023-05-10 20:22:08 +00:00
svc , ctx , ds := setupAppleMDMService ( t , & fleet . LicenseInfo { Tier : fleet . TierPremium } )
2023-02-15 18:01:44 +00:00
ds . TeamByNameFunc = func ( ctx context . Context , name string ) ( * fleet . Team , error ) {
return & fleet . Team { ID : 1 , Name : name } , nil
}
2023-02-16 16:53:26 +00:00
ds . TeamFunc = func ( ctx context . Context , id uint ) ( * fleet . Team , error ) {
return & fleet . Team { ID : id , Name : "team" } , nil
}
2023-02-15 18:01:44 +00:00
ds . BatchSetMDMAppleProfilesFunc = func ( ctx context . Context , teamID * uint , profiles [ ] * fleet . MDMAppleConfigProfile ) error {
return nil
}
2024-05-24 16:25:27 +00:00
ds . NewActivityFunc = func (
ctx context . Context , user * fleet . User , activity fleet . ActivityDetails , details [ ] byte , createdAt time . Time ,
) error {
2023-02-16 16:53:26 +00:00
return nil
}
2024-08-30 21:00:35 +00:00
ds . BulkSetPendingMDMHostProfilesFunc = func ( ctx context . Context , hids , tids [ ] uint , puuids , uuids [ ] string ,
) ( updates fleet . MDMProfilesUpdates , err error ) {
return fleet . MDMProfilesUpdates { } , nil
2023-03-27 18:43:01 +00:00
}
2024-03-29 19:55:03 +00:00
ds . ListMDMConfigProfilesFunc = func ( ctx context . Context , tid * uint , opt fleet . ListOptions ) ( [ ] * fleet . MDMConfigProfilePayload , * fleet . PaginationMetadata , error ) {
return nil , nil , nil
}
2023-02-15 18:01:44 +00:00
2023-11-30 23:19:18 +00:00
type testCase struct {
2023-02-15 18:01:44 +00:00
name string
user * fleet . User
premium bool
teamID * uint
teamName * string
profiles [ ] [ ] byte
wantErr string
2023-11-30 23:19:18 +00:00
}
testCases := [ ] testCase {
2023-02-15 18:01:44 +00:00
{
"global admin" ,
& fleet . User { GlobalRole : ptr . String ( fleet . RoleAdmin ) } ,
false ,
nil ,
nil ,
nil ,
"" ,
} ,
{
"global admin, team" ,
& fleet . User { GlobalRole : ptr . String ( fleet . RoleAdmin ) } ,
true ,
ptr . Uint ( 1 ) ,
nil ,
nil ,
"" ,
} ,
{
"global maintainer" ,
& fleet . User { GlobalRole : ptr . String ( fleet . RoleMaintainer ) } ,
false ,
nil ,
nil ,
nil ,
"" ,
} ,
{
"global maintainer, team" ,
& fleet . User { GlobalRole : ptr . String ( fleet . RoleMaintainer ) } ,
true ,
ptr . Uint ( 1 ) ,
nil ,
nil ,
"" ,
} ,
{
"global observer" ,
& fleet . User { GlobalRole : ptr . String ( fleet . RoleObserver ) } ,
false ,
nil ,
nil ,
nil ,
authz . ForbiddenErrorMessage ,
} ,
{
"team admin, DOES belong to team" ,
& fleet . User { Teams : [ ] fleet . UserTeam { { Team : fleet . Team { ID : 1 } , Role : fleet . RoleAdmin } } } ,
true ,
ptr . Uint ( 1 ) ,
nil ,
nil ,
"" ,
} ,
{
"team admin, DOES belong to team by name" ,
& fleet . User { Teams : [ ] fleet . UserTeam { { Team : fleet . Team { ID : 1 } , Role : fleet . RoleAdmin } } } ,
true ,
nil ,
ptr . String ( "team" ) ,
nil ,
"" ,
} ,
{
"team admin, DOES NOT belong to team" ,
& fleet . User { Teams : [ ] fleet . UserTeam { { Team : fleet . Team { ID : 2 } , Role : fleet . RoleAdmin } } } ,
true ,
ptr . Uint ( 1 ) ,
nil ,
nil ,
authz . ForbiddenErrorMessage ,
} ,
{
"team admin, DOES NOT belong to team by name" ,
& fleet . User { Teams : [ ] fleet . UserTeam { { Team : fleet . Team { ID : 2 } , Role : fleet . RoleAdmin } } } ,
true ,
nil ,
ptr . String ( "team" ) ,
nil ,
authz . ForbiddenErrorMessage ,
} ,
{
"team maintainer, DOES belong to team" ,
& fleet . User { Teams : [ ] fleet . UserTeam { { Team : fleet . Team { ID : 1 } , Role : fleet . RoleMaintainer } } } ,
true ,
ptr . Uint ( 1 ) ,
nil ,
nil ,
"" ,
} ,
{
"team maintainer, DOES NOT belong to team" ,
& fleet . User { Teams : [ ] fleet . UserTeam { { Team : fleet . Team { ID : 2 } , Role : fleet . RoleMaintainer } } } ,
true ,
ptr . Uint ( 1 ) ,
nil ,
nil ,
authz . ForbiddenErrorMessage ,
} ,
{
"team observer, DOES belong to team" ,
& fleet . User { Teams : [ ] fleet . UserTeam { { Team : fleet . Team { ID : 1 } , Role : fleet . RoleObserver } } } ,
true ,
ptr . Uint ( 1 ) ,
nil ,
nil ,
authz . ForbiddenErrorMessage ,
} ,
{
"team observer, DOES NOT belong to team" ,
& fleet . User { Teams : [ ] fleet . UserTeam { { Team : fleet . Team { ID : 2 } , Role : fleet . RoleObserver } } } ,
true ,
ptr . Uint ( 1 ) ,
nil ,
nil ,
authz . ForbiddenErrorMessage ,
} ,
{
"user no roles" ,
& fleet . User { ID : 1337 } ,
false ,
nil ,
nil ,
nil ,
authz . ForbiddenErrorMessage ,
} ,
{
"team id with free license" ,
& fleet . User { GlobalRole : ptr . String ( fleet . RoleAdmin ) } ,
false ,
ptr . Uint ( 1 ) ,
nil ,
nil ,
ErrMissingLicense . Error ( ) ,
} ,
{
"team name with free license" ,
& fleet . User { GlobalRole : ptr . String ( fleet . RoleAdmin ) } ,
false ,
nil ,
ptr . String ( "team" ) ,
nil ,
ErrMissingLicense . Error ( ) ,
} ,
{
"team id and name specified" ,
& fleet . User { GlobalRole : ptr . String ( fleet . RoleAdmin ) } ,
true ,
ptr . Uint ( 1 ) ,
ptr . String ( "team" ) ,
nil ,
"cannot specify both team_id and team_name" ,
} ,
{
"duplicate profile name" ,
& fleet . User { GlobalRole : ptr . String ( fleet . RoleAdmin ) } ,
true ,
ptr . Uint ( 1 ) ,
nil ,
[ ] [ ] byte {
mobileconfigForTest ( "N1" , "I1" ) ,
mobileconfigForTest ( "N1" , "I2" ) ,
} ,
` More than one configuration profile have the same name (PayloadDisplayName): "N1" ` ,
} ,
{
"duplicate profile identifier" ,
& fleet . User { GlobalRole : ptr . String ( fleet . RoleAdmin ) } ,
true ,
ptr . Uint ( 1 ) ,
nil ,
[ ] [ ] byte {
mobileconfigForTest ( "N1" , "I1" ) ,
mobileconfigForTest ( "N2" , "I2" ) ,
mobileconfigForTest ( "N3" , "I1" ) ,
} ,
` More than one configuration profile have the same identifier (PayloadIdentifier): "I1" ` ,
} ,
{
"no duplicates" ,
& fleet . User { GlobalRole : ptr . String ( fleet . RoleAdmin ) } ,
false ,
nil ,
nil ,
[ ] [ ] byte {
mobileconfigForTest ( "N1" , "I1" ) ,
mobileconfigForTest ( "N2" , "I2" ) ,
mobileconfigForTest ( "N3" , "I3" ) ,
} ,
` ` ,
} ,
2023-02-24 20:12:53 +00:00
{
"unsupported payload type" ,
& fleet . User { GlobalRole : ptr . String ( fleet . RoleAdmin ) } ,
false ,
nil ,
nil ,
2025-03-21 14:56:50 +00:00
[ ] [ ] byte { [ ] byte ( fmt . Sprintf ( ` < ? xml version = "1.0" encoding = "UTF-8" ? >
2023-02-24 20:12:53 +00:00
< ! DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd" >
< plist version = "1.0" >
< dict >
< key > PayloadContent < / key >
< array >
< dict >
< key > Enable < / key >
< string > On < / string >
< key > PayloadDisplayName < / key >
< string > FileVault 2 < / string >
< key > PayloadIdentifier < / key >
< string > com . apple . MCX . FileVault2 . A5874654 - D6BA - 4649 - 84 B5 - 43847953 B369 < / string >
< key > PayloadType < / key >
2025-03-21 14:56:50 +00:00
< string > % s < / string >
2023-02-24 20:12:53 +00:00
< key > PayloadUUID < / key >
< string > A5874654 - D6BA - 4649 - 84 B5 - 43847953 B369 < / string >
< key > PayloadVersion < / key >
< integer > 1 < / integer >
< / dict >
< / array >
< key > PayloadDisplayName < / key >
< string > Config Profile Name < / string >
< key > PayloadIdentifier < / key >
< string > com . example . config . FE42D0A2 - DBA9 - 4 B72 - BC67 - 9288665 B8D59 < / string >
< key > PayloadType < / key >
< string > Configuration < / string >
< key > PayloadUUID < / key >
< string > FE42D0A2 - DBA9 - 4 B72 - BC67 - 9288665 B8D59 < / string >
< key > PayloadVersion < / key >
< integer > 1 < / integer >
< / dict >
2025-03-21 14:56:50 +00:00
< / plist > ` , mobileconfig . FleetFileVaultPayloadType ) ) } ,
2025-03-21 19:24:52 +00:00
mobileconfig . DiskEncryptionProfileRestrictionErrMsg ,
2023-02-24 20:12:53 +00:00
} ,
2025-04-30 20:03:23 +00:00
{
"uses a Fleet Variable" ,
& fleet . User { GlobalRole : ptr . String ( fleet . RoleAdmin ) } ,
false ,
nil ,
nil ,
[ ] [ ] byte { [ ] byte ( ` < ? xml version = "1.0" encoding = "UTF-8" ? >
< ! DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd" >
< plist version = "1.0" >
< dict >
< key > PayloadContent < / key >
< array >
< dict >
< key > Username < / key >
< string > $ FLEET_VAR_HOST_END_USER_IDP_USERNAME < / string >
< / dict >
< / array >
< key > PayloadDisplayName < / key >
< string > Config Profile Name < / string >
< key > PayloadIdentifier < / key >
< string > com . example . config . FE42D0A2 - DBA9 - 4 B72 - BC67 - 9288665 B8D59 < / string >
< key > PayloadType < / key >
< string > Configuration < / string >
< key > PayloadUUID < / key >
< string > FE42D0A2 - DBA9 - 4 B72 - BC67 - 9288665 B8D59 < / string >
< key > PayloadVersion < / key >
< integer > 1 < / integer >
< / dict >
< / plist > ` ) } ,
` profile variables are not supported by this deprecated endpoint ` ,
} ,
2023-02-15 18:01:44 +00:00
}
2023-11-30 23:19:18 +00:00
for name := range fleetmdm . FleetReservedProfileNames ( ) {
testCases = append ( testCases ,
testCase {
"reserved payload outer name " + name ,
& fleet . User { GlobalRole : ptr . String ( fleet . RoleAdmin ) } ,
true ,
nil ,
nil ,
[ ] [ ] byte { mobileconfigForTest ( name , "I1" ) } ,
name ,
} ,
testCase {
"reserved payload inner name " + name ,
& fleet . User { GlobalRole : ptr . String ( fleet . RoleAdmin ) } ,
true ,
nil ,
nil ,
[ ] [ ] byte { mobileconfigForTestWithContent ( "N1" , "I1" , "I1" , "PayloadType" , name ) } ,
name ,
} ,
)
}
2023-02-15 18:01:44 +00:00
for _ , tt := range testCases {
t . Run ( tt . name , func ( t * testing . T ) {
defer func ( ) { ds . BatchSetMDMAppleProfilesFuncInvoked = false } ( )
// prepare the context with the user and license
ctx := viewer . NewContext ( ctx , viewer . Viewer { User : tt . user } )
tier := fleet . TierFree
if tt . premium {
tier = fleet . TierPremium
}
ctx = license . NewContext ( ctx , & fleet . LicenseInfo { Tier : tier } )
2023-10-13 11:49:11 +00:00
err := svc . BatchSetMDMAppleProfiles ( ctx , tt . teamID , tt . teamName , tt . profiles , false , false )
2023-02-15 18:01:44 +00:00
if tt . wantErr == "" {
require . NoError ( t , err )
require . True ( t , ds . BatchSetMDMAppleProfilesFuncInvoked )
return
}
require . Error ( t , err )
require . ErrorContains ( t , err , tt . wantErr )
require . False ( t , ds . BatchSetMDMAppleProfilesFuncInvoked )
} )
}
}
2023-10-13 11:49:11 +00:00
func TestMDMBatchSetAppleProfilesBoolArgs ( t * testing . T ) {
svc , ctx , ds := setupAppleMDMService ( t , & fleet . LicenseInfo { Tier : fleet . TierPremium } )
ds . TeamByNameFunc = func ( ctx context . Context , name string ) ( * fleet . Team , error ) {
return & fleet . Team { ID : 1 , Name : name } , nil
}
ds . TeamFunc = func ( ctx context . Context , id uint ) ( * fleet . Team , error ) {
return & fleet . Team { ID : id , Name : "team" } , nil
}
ds . BatchSetMDMAppleProfilesFunc = func ( ctx context . Context , teamID * uint , profiles [ ] * fleet . MDMAppleConfigProfile ) error {
return nil
}
2024-05-24 16:25:27 +00:00
ds . NewActivityFunc = func (
ctx context . Context , user * fleet . User , activity fleet . ActivityDetails , details [ ] byte , createdAt time . Time ,
) error {
2023-10-13 11:49:11 +00:00
return nil
}
2024-08-30 21:00:35 +00:00
ds . BulkSetPendingMDMHostProfilesFunc = func ( ctx context . Context , hids , tids [ ] uint , profileUUIDs , uuids [ ] string ,
) ( updates fleet . MDMProfilesUpdates , err error ) {
return fleet . MDMProfilesUpdates { } , nil
2023-10-13 11:49:11 +00:00
}
2024-03-29 19:55:03 +00:00
ds . ListMDMConfigProfilesFunc = func ( ctx context . Context , tid * uint , opt fleet . ListOptions ) ( [ ] * fleet . MDMConfigProfilePayload , * fleet . PaginationMetadata , error ) {
return nil , nil , nil
}
2023-10-13 11:49:11 +00:00
ctx = viewer . NewContext ( ctx , viewer . Viewer { User : & fleet . User { GlobalRole : ptr . String ( fleet . RoleAdmin ) } } )
ctx = license . NewContext ( ctx , & fleet . LicenseInfo { Tier : fleet . TierPremium } )
// dry run doesn't call methods that save stuff in the db
err := svc . BatchSetMDMAppleProfiles ( ctx , nil , nil , [ ] [ ] byte { } , true , false )
require . NoError ( t , err )
require . False ( t , ds . BatchSetMDMAppleProfilesFuncInvoked )
2023-11-20 14:16:02 +00:00
require . False ( t , ds . BulkSetPendingMDMHostProfilesFuncInvoked )
2023-10-13 11:49:11 +00:00
require . False ( t , ds . NewActivityFuncInvoked )
// skipping bulk set only skips that method
err = svc . BatchSetMDMAppleProfiles ( ctx , nil , nil , [ ] [ ] byte { } , false , true )
require . NoError ( t , err )
require . True ( t , ds . BatchSetMDMAppleProfilesFuncInvoked )
2023-11-20 14:16:02 +00:00
require . False ( t , ds . BulkSetPendingMDMHostProfilesFuncInvoked )
2023-10-13 11:49:11 +00:00
require . True ( t , ds . NewActivityFuncInvoked )
}
2023-03-06 14:54:51 +00:00
func TestUpdateMDMAppleSettings ( t * testing . T ) {
2023-05-10 20:22:08 +00:00
svc , ctx , ds := setupAppleMDMService ( t , & fleet . LicenseInfo { Tier : fleet . TierPremium } )
2023-03-06 14:54:51 +00:00
ds . TeamFunc = func ( ctx context . Context , id uint ) ( * fleet . Team , error ) {
return & fleet . Team { ID : id , Name : "team" } , nil
}
ds . SaveTeamFunc = func ( ctx context . Context , team * fleet . Team ) ( * fleet . Team , error ) {
return team , nil
}
2024-05-24 16:25:27 +00:00
ds . NewActivityFunc = func (
ctx context . Context , user * fleet . User , activity fleet . ActivityDetails , details [ ] byte , createdAt time . Time ,
) error {
2023-03-06 14:54:51 +00:00
return nil
}
ds . AppConfigFunc = func ( ctx context . Context ) ( * fleet . AppConfig , error ) {
return & fleet . AppConfig { } , nil
}
ds . SaveAppConfigFunc = func ( ctx context . Context , appConfig * fleet . AppConfig ) error {
return nil
}
testCases := [ ] struct {
name string
user * fleet . User
premium bool
teamID * uint
wantErr string
} {
{
"global admin" ,
& fleet . User { GlobalRole : ptr . String ( fleet . RoleAdmin ) } ,
false ,
nil ,
Linux disk encryption: frontend changes, backend missing private key errors, remove disk encryption endpoints dependence on MDM being enabled (#23714)
## Addresses #22702, #23713, #23756, #23746, #23747, and #23876
_-Note that much of this code as is will render as expected only once
integrated with the backend or if manipulated manually for testing
purposes_
**Frontend**:
- Update banners on my device page, tests
- Build new logic for calling endpoint to trigger linux key escrow on
clicking `Create key`
- Add `CreateLinuxKeyModal` to inform user of next steps after clicking
`Create key`
- Update banners on host details page, tests
- Update the Controls > OS settings section with new logic related to
linux disk encryption
- Expect and include counts of Linux hosts in aggregate disk encryption
stats UI
- Add "Linux" column to the disk encryption table
- Show disk encryption related UI for supported Linux platforms
- TODO: confirm platform string matching functionality in manual e2e
testing
- Expand capabilities of `SectionHeader` component, apply to new UI
- Flash "missing private key" error, with clickable link, when trying to
update disk encryption enabled while no server private key is present.
- TODO: QA this once other endpoints on Controls > Disk encryption are
enabled even when MDM not turned on
- Update Disk encryption key modal copy
-Other TODO:
- Confirm when integrated with API:
- Aggregate disk encryption counts
- Disk encryption table Linux column
- Show disk encryption key action on host details page when expected
- Opens Disk encryption key modal, displays key as expected
**Backend**:
- For "No team" and teams, error when trying to update disk encryption
enabled while no server private key is present.
- Remove requirement of mdm being enabled for use of various endpoints
related to Linux disk encryption
- Update tests
_________
**Host details and my device page banners**
**Create key modal**
<img width="1799" alt="create-key-modal"
src="https://github.com/user-attachments/assets/81a55ccb-b6b9-4eb6-b2ff-a463c60724c0">
**Enabling disk encryption**
**Disk encryption: Fleet free**
<img width="1912" alt="free"
src="https://github.com/user-attachments/assets/9f9cace3-8955-47c2-87d9-24ff9387ac1a">
**Custom settings: turn on MDM**
<img width="1912" alt="turn on mdm"
src="https://github.com/user-attachments/assets/4d3ad47b-4035-4d93-86f0-dc2691b38bb4">
**Device status indicators**
**Encryption key action and modal**
- [x] Changes file added for user-visible changes in `changes/`
- [x] Added/updated tests
- [x] Manual QA for all new/changed functionality
- [ ] Full e2e testing to do when integrated with backend
---------
Co-authored-by: Jacob Shandling <jacob@fleetdm.com>
Co-authored-by: Ian Littman <iansltx@gmail.com>
2024-11-20 19:58:47 +00:00
fleet . ErrMissingLicense . Error ( ) ,
2023-03-06 14:54:51 +00:00
} ,
{
"global admin premium" ,
& fleet . User { GlobalRole : ptr . String ( fleet . RoleAdmin ) } ,
true ,
nil ,
"" ,
} ,
{
"global admin, team" ,
& fleet . User { GlobalRole : ptr . String ( fleet . RoleAdmin ) } ,
true ,
ptr . Uint ( 1 ) ,
"" ,
} ,
{
"global maintainer" ,
& fleet . User { GlobalRole : ptr . String ( fleet . RoleMaintainer ) } ,
false ,
nil ,
Linux disk encryption: frontend changes, backend missing private key errors, remove disk encryption endpoints dependence on MDM being enabled (#23714)
## Addresses #22702, #23713, #23756, #23746, #23747, and #23876
_-Note that much of this code as is will render as expected only once
integrated with the backend or if manipulated manually for testing
purposes_
**Frontend**:
- Update banners on my device page, tests
- Build new logic for calling endpoint to trigger linux key escrow on
clicking `Create key`
- Add `CreateLinuxKeyModal` to inform user of next steps after clicking
`Create key`
- Update banners on host details page, tests
- Update the Controls > OS settings section with new logic related to
linux disk encryption
- Expect and include counts of Linux hosts in aggregate disk encryption
stats UI
- Add "Linux" column to the disk encryption table
- Show disk encryption related UI for supported Linux platforms
- TODO: confirm platform string matching functionality in manual e2e
testing
- Expand capabilities of `SectionHeader` component, apply to new UI
- Flash "missing private key" error, with clickable link, when trying to
update disk encryption enabled while no server private key is present.
- TODO: QA this once other endpoints on Controls > Disk encryption are
enabled even when MDM not turned on
- Update Disk encryption key modal copy
-Other TODO:
- Confirm when integrated with API:
- Aggregate disk encryption counts
- Disk encryption table Linux column
- Show disk encryption key action on host details page when expected
- Opens Disk encryption key modal, displays key as expected
**Backend**:
- For "No team" and teams, error when trying to update disk encryption
enabled while no server private key is present.
- Remove requirement of mdm being enabled for use of various endpoints
related to Linux disk encryption
- Update tests
_________
**Host details and my device page banners**
**Create key modal**
<img width="1799" alt="create-key-modal"
src="https://github.com/user-attachments/assets/81a55ccb-b6b9-4eb6-b2ff-a463c60724c0">
**Enabling disk encryption**
**Disk encryption: Fleet free**
<img width="1912" alt="free"
src="https://github.com/user-attachments/assets/9f9cace3-8955-47c2-87d9-24ff9387ac1a">
**Custom settings: turn on MDM**
<img width="1912" alt="turn on mdm"
src="https://github.com/user-attachments/assets/4d3ad47b-4035-4d93-86f0-dc2691b38bb4">
**Device status indicators**
**Encryption key action and modal**
- [x] Changes file added for user-visible changes in `changes/`
- [x] Added/updated tests
- [x] Manual QA for all new/changed functionality
- [ ] Full e2e testing to do when integrated with backend
---------
Co-authored-by: Jacob Shandling <jacob@fleetdm.com>
Co-authored-by: Ian Littman <iansltx@gmail.com>
2024-11-20 19:58:47 +00:00
fleet . ErrMissingLicense . Error ( ) ,
2023-03-06 14:54:51 +00:00
} ,
{
"global maintainer premium" ,
& fleet . User { GlobalRole : ptr . String ( fleet . RoleMaintainer ) } ,
true ,
nil ,
"" ,
} ,
{
"global maintainer, team" ,
& fleet . User { GlobalRole : ptr . String ( fleet . RoleMaintainer ) } ,
true ,
ptr . Uint ( 1 ) ,
"" ,
} ,
{
"global observer" ,
& fleet . User { GlobalRole : ptr . String ( fleet . RoleObserver ) } ,
true ,
nil ,
authz . ForbiddenErrorMessage ,
} ,
{
"team admin, DOES belong to team" ,
& fleet . User { Teams : [ ] fleet . UserTeam { { Team : fleet . Team { ID : 1 } , Role : fleet . RoleAdmin } } } ,
true ,
ptr . Uint ( 1 ) ,
"" ,
} ,
{
"team admin, DOES NOT belong to team" ,
& fleet . User { Teams : [ ] fleet . UserTeam { { Team : fleet . Team { ID : 2 } , Role : fleet . RoleAdmin } } } ,
true ,
ptr . Uint ( 1 ) ,
authz . ForbiddenErrorMessage ,
} ,
{
"team maintainer, DOES belong to team" ,
& fleet . User { Teams : [ ] fleet . UserTeam { { Team : fleet . Team { ID : 1 } , Role : fleet . RoleMaintainer } } } ,
true ,
ptr . Uint ( 1 ) ,
"" ,
} ,
{
"team maintainer, DOES NOT belong to team" ,
& fleet . User { Teams : [ ] fleet . UserTeam { { Team : fleet . Team { ID : 2 } , Role : fleet . RoleMaintainer } } } ,
true ,
ptr . Uint ( 1 ) ,
authz . ForbiddenErrorMessage ,
} ,
{
"team observer, DOES belong to team" ,
& fleet . User { Teams : [ ] fleet . UserTeam { { Team : fleet . Team { ID : 1 } , Role : fleet . RoleObserver } } } ,
true ,
ptr . Uint ( 1 ) ,
authz . ForbiddenErrorMessage ,
} ,
{
"team observer, DOES NOT belong to team" ,
& fleet . User { Teams : [ ] fleet . UserTeam { { Team : fleet . Team { ID : 2 } , Role : fleet . RoleObserver } } } ,
true ,
ptr . Uint ( 1 ) ,
authz . ForbiddenErrorMessage ,
} ,
{
"user no roles" ,
& fleet . User { ID : 1337 } ,
true ,
nil ,
authz . ForbiddenErrorMessage ,
} ,
{
"team id with free license" ,
& fleet . User { GlobalRole : ptr . String ( fleet . RoleAdmin ) } ,
false ,
ptr . Uint ( 1 ) ,
Linux disk encryption: frontend changes, backend missing private key errors, remove disk encryption endpoints dependence on MDM being enabled (#23714)
## Addresses #22702, #23713, #23756, #23746, #23747, and #23876
_-Note that much of this code as is will render as expected only once
integrated with the backend or if manipulated manually for testing
purposes_
**Frontend**:
- Update banners on my device page, tests
- Build new logic for calling endpoint to trigger linux key escrow on
clicking `Create key`
- Add `CreateLinuxKeyModal` to inform user of next steps after clicking
`Create key`
- Update banners on host details page, tests
- Update the Controls > OS settings section with new logic related to
linux disk encryption
- Expect and include counts of Linux hosts in aggregate disk encryption
stats UI
- Add "Linux" column to the disk encryption table
- Show disk encryption related UI for supported Linux platforms
- TODO: confirm platform string matching functionality in manual e2e
testing
- Expand capabilities of `SectionHeader` component, apply to new UI
- Flash "missing private key" error, with clickable link, when trying to
update disk encryption enabled while no server private key is present.
- TODO: QA this once other endpoints on Controls > Disk encryption are
enabled even when MDM not turned on
- Update Disk encryption key modal copy
-Other TODO:
- Confirm when integrated with API:
- Aggregate disk encryption counts
- Disk encryption table Linux column
- Show disk encryption key action on host details page when expected
- Opens Disk encryption key modal, displays key as expected
**Backend**:
- For "No team" and teams, error when trying to update disk encryption
enabled while no server private key is present.
- Remove requirement of mdm being enabled for use of various endpoints
related to Linux disk encryption
- Update tests
_________
**Host details and my device page banners**
**Create key modal**
<img width="1799" alt="create-key-modal"
src="https://github.com/user-attachments/assets/81a55ccb-b6b9-4eb6-b2ff-a463c60724c0">
**Enabling disk encryption**
**Disk encryption: Fleet free**
<img width="1912" alt="free"
src="https://github.com/user-attachments/assets/9f9cace3-8955-47c2-87d9-24ff9387ac1a">
**Custom settings: turn on MDM**
<img width="1912" alt="turn on mdm"
src="https://github.com/user-attachments/assets/4d3ad47b-4035-4d93-86f0-dc2691b38bb4">
**Device status indicators**
**Encryption key action and modal**
- [x] Changes file added for user-visible changes in `changes/`
- [x] Added/updated tests
- [x] Manual QA for all new/changed functionality
- [ ] Full e2e testing to do when integrated with backend
---------
Co-authored-by: Jacob Shandling <jacob@fleetdm.com>
Co-authored-by: Ian Littman <iansltx@gmail.com>
2024-11-20 19:58:47 +00:00
fleet . ErrMissingLicense . Error ( ) ,
2023-03-06 14:54:51 +00:00
} ,
}
for _ , tt := range testCases {
t . Run ( tt . name , func ( t * testing . T ) {
// prepare the context with the user and license
ctx := viewer . NewContext ( ctx , viewer . Viewer { User : tt . user } )
tier := fleet . TierFree
if tt . premium {
tier = fleet . TierPremium
}
ctx = license . NewContext ( ctx , & fleet . LicenseInfo { Tier : tier } )
2025-07-23 19:38:49 +00:00
err := svc . UpdateMDMDiskEncryption ( ctx , tt . teamID , nil , nil )
2023-03-06 14:54:51 +00:00
if tt . wantErr == "" {
require . NoError ( t , err )
return
}
require . Error ( t , err )
require . ErrorContains ( t , err , tt . wantErr )
} )
}
}
2023-05-10 20:22:08 +00:00
func TestUpdateMDMAppleSetup ( t * testing . T ) {
setupTest := func ( tier string ) ( fleet . Service , context . Context , * mock . Store ) {
svc , ctx , ds := setupAppleMDMService ( t , & fleet . LicenseInfo { Tier : tier } )
ds . TeamFunc = func ( ctx context . Context , id uint ) ( * fleet . Team , error ) {
return & fleet . Team { ID : id , Name : "team" } , nil
}
ds . SaveTeamFunc = func ( ctx context . Context , team * fleet . Team ) ( * fleet . Team , error ) {
return team , nil
}
2024-05-24 16:25:27 +00:00
ds . NewActivityFunc = func (
ctx context . Context , user * fleet . User , activity fleet . ActivityDetails , details [ ] byte , createdAt time . Time ,
) error {
2023-05-10 20:22:08 +00:00
return nil
}
ds . AppConfigFunc = func ( ctx context . Context ) ( * fleet . AppConfig , error ) {
return & fleet . AppConfig { MDM : fleet . MDM { EnabledAndConfigured : true } } , nil
}
ds . SaveAppConfigFunc = func ( ctx context . Context , appConfig * fleet . AppConfig ) error {
return nil
}
return svc , ctx , ds
}
type testCase struct {
name string
user * fleet . User
teamID * uint
wantErr string
}
// TODO: Add tests for gitops and observer plus roles? (Settings endpoint test above may also need to be updated)
t . Run ( "FreeTier" , func ( t * testing . T ) {
freeTestCases := [ ] testCase {
{
"global admin" ,
& fleet . User { GlobalRole : ptr . String ( fleet . RoleAdmin ) } ,
nil ,
"Requires Fleet Premium license" ,
} ,
{
"global maintainer" ,
& fleet . User { GlobalRole : ptr . String ( fleet . RoleMaintainer ) } ,
nil ,
"Requires Fleet Premium license" ,
} ,
{
"team id with free license" ,
& fleet . User { GlobalRole : ptr . String ( fleet . RoleAdmin ) } ,
ptr . Uint ( 1 ) ,
"Requires Fleet Premium license" ,
} ,
}
svc , ctx , _ := setupTest ( fleet . TierFree )
for _ , tt := range freeTestCases {
t . Run ( tt . name , func ( t * testing . T ) {
// prepare the context with the user and license
ctx := viewer . NewContext ( ctx , viewer . Viewer { User : tt . user } )
err := svc . UpdateMDMAppleSetup ( ctx , fleet . MDMAppleSetupPayload { TeamID : tt . teamID } )
if tt . wantErr == "" {
require . NoError ( t , err )
return
}
require . Error ( t , err )
require . ErrorContains ( t , err , tt . wantErr )
} )
}
} )
t . Run ( "PremiumTier" , func ( t * testing . T ) {
premiumTestCases := [ ] testCase {
{
"global admin premium" ,
& fleet . User { GlobalRole : ptr . String ( fleet . RoleAdmin ) } ,
nil ,
"" ,
} ,
{
"global admin, team" ,
& fleet . User { GlobalRole : ptr . String ( fleet . RoleAdmin ) } ,
ptr . Uint ( 1 ) ,
"" ,
} ,
{
"global maintainer premium" ,
& fleet . User { GlobalRole : ptr . String ( fleet . RoleMaintainer ) } ,
nil ,
"" ,
} ,
{
"global maintainer, team" ,
& fleet . User { GlobalRole : ptr . String ( fleet . RoleMaintainer ) } ,
ptr . Uint ( 1 ) ,
"" ,
} ,
{
"global observer" ,
& fleet . User { GlobalRole : ptr . String ( fleet . RoleObserver ) } ,
nil ,
authz . ForbiddenErrorMessage ,
} ,
{
"team admin, DOES belong to team" ,
& fleet . User { Teams : [ ] fleet . UserTeam { { Team : fleet . Team { ID : 1 } , Role : fleet . RoleAdmin } } } ,
ptr . Uint ( 1 ) ,
"" ,
} ,
{
"team admin, DOES NOT belong to team" ,
& fleet . User { Teams : [ ] fleet . UserTeam { { Team : fleet . Team { ID : 2 } , Role : fleet . RoleAdmin } } } ,
ptr . Uint ( 1 ) ,
authz . ForbiddenErrorMessage ,
} ,
{
"team maintainer, DOES belong to team" ,
& fleet . User { Teams : [ ] fleet . UserTeam { { Team : fleet . Team { ID : 1 } , Role : fleet . RoleMaintainer } } } ,
ptr . Uint ( 1 ) ,
"" ,
} ,
{
"team maintainer, DOES NOT belong to team" ,
& fleet . User { Teams : [ ] fleet . UserTeam { { Team : fleet . Team { ID : 2 } , Role : fleet . RoleMaintainer } } } ,
ptr . Uint ( 1 ) ,
authz . ForbiddenErrorMessage ,
} ,
{
"team observer, DOES belong to team" ,
& fleet . User { Teams : [ ] fleet . UserTeam { { Team : fleet . Team { ID : 1 } , Role : fleet . RoleObserver } } } ,
ptr . Uint ( 1 ) ,
authz . ForbiddenErrorMessage ,
} ,
{
"team observer, DOES NOT belong to team" ,
& fleet . User { Teams : [ ] fleet . UserTeam { { Team : fleet . Team { ID : 2 } , Role : fleet . RoleObserver } } } ,
ptr . Uint ( 1 ) ,
authz . ForbiddenErrorMessage ,
} ,
{
"user no roles" ,
& fleet . User { ID : 1337 } ,
nil ,
authz . ForbiddenErrorMessage ,
} ,
}
svc , ctx , _ := setupTest ( fleet . TierPremium )
for _ , tt := range premiumTestCases {
t . Run ( tt . name , func ( t * testing . T ) {
// prepare the context with the user and license
ctx := viewer . NewContext ( ctx , viewer . Viewer { User : tt . user } )
err := svc . UpdateMDMAppleSetup ( ctx , fleet . MDMAppleSetupPayload { TeamID : tt . teamID } )
if tt . wantErr == "" {
require . NoError ( t , err )
return
}
require . Error ( t , err )
require . ErrorContains ( t , err , tt . wantErr )
} )
}
} )
}
2023-11-10 14:05:10 +00:00
func TestMDMAppleReconcileAppleProfiles ( t * testing . T ) {
2023-02-22 17:49:06 +00:00
ctx := context . Background ( )
2024-05-30 21:18:42 +00:00
mdmStorage := & mdmmock . MDMAppleStore { }
2023-02-22 17:49:06 +00:00
ds := new ( mock . Store )
pushFactory , _ := newMockAPNSPushProviderFactory ( )
pusher := nanomdm_pushsvc . New (
mdmStorage ,
mdmStorage ,
pushFactory ,
NewNanoMDMLogger ( kitlog . NewNopLogger ( ) ) ,
)
2024-04-18 21:01:37 +00:00
mdmConfig := config . MDMConfig {
AppleSCEPCert : "./testdata/server.pem" ,
AppleSCEPKey : "./testdata/server.key" ,
}
2024-10-09 18:47:27 +00:00
ds . GetAllMDMConfigAssetsByNameFunc = func ( ctx context . Context , assetNames [ ] fleet . MDMAssetName ,
2024-11-05 18:12:22 +00:00
_ sqlx . QueryerContext ,
) ( map [ fleet . MDMAssetName ] fleet . MDMConfigAsset , error ) {
2024-05-30 21:18:42 +00:00
_ , pemCert , pemKey , err := mdmConfig . AppleSCEP ( )
require . NoError ( t , err )
return map [ fleet . MDMAssetName ] fleet . MDMConfigAsset {
fleet . MDMAssetCACert : { Value : pemCert } ,
fleet . MDMAssetCAKey : { Value : pemKey } ,
} , nil
}
cmdr := apple_mdm . NewMDMAppleCommander ( mdmStorage , pusher )
2025-06-16 20:46:38 +00:00
hostUUID1 , hostUUID2 := "ABC-DEF" , "GHI-JKL"
hostUUID1UserEnrollment := hostUUID1 + ":user"
2023-02-22 17:49:06 +00:00
contents1 := [ ] byte ( "test-content-1" )
2024-10-09 18:47:27 +00:00
expectedContents1 := [ ] byte ( "test-content-1" ) // used for Fleet variable substitution
2023-02-22 17:49:06 +00:00
contents2 := [ ] byte ( "test-content-2" )
2023-03-27 18:43:01 +00:00
contents4 := [ ] byte ( "test-content-4" )
2025-06-16 20:46:38 +00:00
contents5 := [ ] byte ( "test-contents-5" )
2023-02-22 17:49:06 +00:00
2025-06-16 20:46:38 +00:00
p1 , p2 , p3 , p4 , p5 , p6 := "a" + uuid . NewString ( ) , "a" + uuid . NewString ( ) , "a" + uuid . NewString ( ) , "a" + uuid . NewString ( ) , "a" + uuid . NewString ( ) , "a" + uuid . NewString ( )
Add Read-only Transaction to fetch profiles to install and remove all at once (#32737)
Speculative fix for #30915
For why this is needed, see
https://github.com/fleetdm/fleet/issues/30915#issuecomment-3259641371
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Improved reliability of Apple device profile installation and removal
by performing coordinated, read-only transactional reads. Reduces race
conditions and intermittent discrepancies during profile syncs, leading
to more consistent outcomes across fleets.
* **Tests**
* Added tests to verify the combined install/remove results remain
consistent with the individual lists, ensuring accurate and stable
behavior under various state changes.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2025-09-10 13:29:04 +00:00
baseProfilesToInstall := [ ] * fleet . MDMAppleProfilePayload {
{ ProfileUUID : p1 , ProfileIdentifier : "com.add.profile" , HostUUID : hostUUID1 , Scope : fleet . PayloadScopeSystem } ,
{ ProfileUUID : p2 , ProfileIdentifier : "com.add.profile.two" , HostUUID : hostUUID1 , Scope : fleet . PayloadScopeSystem } ,
{ ProfileUUID : p2 , ProfileIdentifier : "com.add.profile.two" , HostUUID : hostUUID2 , Scope : fleet . PayloadScopeSystem } ,
{ ProfileUUID : p4 , ProfileIdentifier : "com.add.profile.four" , HostUUID : hostUUID2 , Scope : fleet . PayloadScopeSystem } ,
{ ProfileUUID : p5 , ProfileIdentifier : "com.add.profile.five" , HostUUID : hostUUID1 , Scope : fleet . PayloadScopeUser } ,
{ ProfileUUID : p5 , ProfileIdentifier : "com.add.profile.five" , HostUUID : hostUUID2 , Scope : fleet . PayloadScopeUser } ,
2023-02-22 17:49:06 +00:00
}
Add Read-only Transaction to fetch profiles to install and remove all at once (#32737)
Speculative fix for #30915
For why this is needed, see
https://github.com/fleetdm/fleet/issues/30915#issuecomment-3259641371
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Improved reliability of Apple device profile installation and removal
by performing coordinated, read-only transactional reads. Reduces race
conditions and intermittent discrepancies during profile syncs, leading
to more consistent outcomes across fleets.
* **Tests**
* Added tests to verify the combined install/remove results remain
consistent with the individual lists, ensuring accurate and stable
behavior under various state changes.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2025-09-10 13:29:04 +00:00
baseProfilesToRemove := [ ] * fleet . MDMAppleProfilePayload {
{ ProfileUUID : p3 , ProfileIdentifier : "com.remove.profile" , HostUUID : hostUUID1 , Scope : fleet . PayloadScopeSystem } ,
{ ProfileUUID : p3 , ProfileIdentifier : "com.remove.profile" , HostUUID : hostUUID2 , Scope : fleet . PayloadScopeSystem } ,
{ ProfileUUID : p6 , ProfileIdentifier : "com.remove.profile.six" , HostUUID : hostUUID1 , Scope : fleet . PayloadScopeUser } ,
{ ProfileUUID : p6 , ProfileIdentifier : "com.remove.profile.six" , HostUUID : hostUUID2 , Scope : fleet . PayloadScopeUser } ,
}
ds . ListMDMAppleProfilesToInstallAndRemoveFunc = func ( ctx context . Context ) ( [ ] * fleet . MDMAppleProfilePayload , [ ] * fleet . MDMAppleProfilePayload , error ) {
return baseProfilesToInstall , baseProfilesToRemove , nil
2023-02-22 17:49:06 +00:00
}
2023-12-04 15:04:06 +00:00
ds . GetMDMAppleProfilesContentsFunc = func ( ctx context . Context , profileUUIDs [ ] string ) ( map [ string ] mobileconfig . Mobileconfig , error ) {
2025-06-16 20:46:38 +00:00
require . ElementsMatch ( t , [ ] string { p1 , p2 , p4 , p5 } , profileUUIDs )
2023-03-27 18:43:01 +00:00
// only those profiles that are to be installed
2023-12-04 15:04:06 +00:00
return map [ string ] mobileconfig . Mobileconfig {
p1 : contents1 ,
p2 : contents2 ,
p4 : contents4 ,
2025-06-16 20:46:38 +00:00
p5 : contents5 ,
2023-02-22 17:49:06 +00:00
} , nil
}
2023-07-20 21:11:45 +00:00
ds . BulkDeleteMDMAppleHostsConfigProfilesFunc = func ( ctx context . Context , payload [ ] * fleet . MDMAppleProfilePayload ) error {
2025-07-02 14:54:54 +00:00
require . ElementsMatch ( t , payload , [ ] * fleet . MDMAppleProfilePayload { { ProfileUUID : p6 , ProfileIdentifier : "com.remove.profile.six" , HostUUID : hostUUID2 , Scope : fleet . PayloadScopeUser } } )
2023-07-20 21:11:45 +00:00
return nil
}
2025-06-16 20:46:38 +00:00
ds . GetNanoMDMUserEnrollmentFunc = func ( ctx context . Context , hostUUID string ) ( * fleet . NanoEnrollment , error ) {
if hostUUID == hostUUID1 {
return & fleet . NanoEnrollment {
ID : hostUUID1UserEnrollment ,
DeviceID : hostUUID1 ,
Type : "User" ,
Enabled : true ,
TokenUpdateTally : 1 ,
} , nil
}
// hostUUID2 has no user enrollment
assert . Equal ( t , hostUUID2 , hostUUID )
return nil , nil
}
2025-01-06 19:16:34 +00:00
mdmStorage . BulkDeleteHostUserCommandsWithoutResultsFunc = func ( ctx context . Context , commandToIDs map [ string ] [ ] string ) error {
require . Empty ( t , commandToIDs )
return nil
}
2023-07-20 21:11:45 +00:00
2023-11-07 21:03:03 +00:00
var enqueueFailForOp fleet . MDMOperationType
2024-04-18 21:01:37 +00:00
var mu sync . Mutex
2024-12-20 21:40:23 +00:00
mdmStorage . EnqueueCommandFunc = func ( ctx context . Context , id [ ] string , cmd * mdm . CommandWithSubtype ) ( map [ string ] error , error ) {
2023-02-22 17:49:06 +00:00
require . NotNil ( t , cmd )
2023-03-27 18:43:01 +00:00
require . NotEmpty ( t , cmd . CommandUUID )
2023-02-22 17:49:06 +00:00
2024-12-20 21:40:23 +00:00
switch cmd . Command . Command . RequestType {
2023-02-22 17:49:06 +00:00
case "InstallProfile" :
2023-03-27 18:43:01 +00:00
2024-04-18 21:01:37 +00:00
var fullCmd micromdm . CommandPayload
require . NoError ( t , plist . Unmarshal ( cmd . Raw , & fullCmd ) )
// the p7 library doesn't support concurrent calls to Parse
mu . Lock ( )
p7 , err := pkcs7 . Parse ( fullCmd . Command . InstallProfile . Payload )
mu . Unlock ( )
require . NoError ( t , err )
2024-10-09 18:47:27 +00:00
if ! bytes . Equal ( p7 . Content , expectedContents1 ) && ! bytes . Equal ( p7 . Content , contents2 ) &&
2025-06-16 20:46:38 +00:00
! bytes . Equal ( p7 . Content , contents4 ) && ! bytes . Equal ( p7 . Content , contents5 ) {
2023-03-27 18:43:01 +00:00
require . Failf ( t , "profile contents don't match" , "expected to contain %s, %s or %s but got %s" ,
2024-10-09 18:47:27 +00:00
expectedContents1 , contents2 , contents4 , p7 . Content )
2023-02-22 17:49:06 +00:00
}
2025-06-16 20:46:38 +00:00
// may be called for a single host or both
if len ( id ) == 2 {
if bytes . Equal ( p7 . Content , contents5 ) {
require . ElementsMatch ( t , [ ] string { hostUUID1UserEnrollment , hostUUID2 } , id )
} else {
require . ElementsMatch ( t , [ ] string { hostUUID1 , hostUUID2 } , id )
}
} else {
require . Len ( t , id , 1 )
}
2023-02-22 17:49:06 +00:00
case "RemoveProfile" :
2025-06-16 20:46:38 +00:00
if len ( id ) == 1 {
require . Equal ( t , hostUUID1UserEnrollment , id [ 0 ] )
} else {
require . ElementsMatch ( t , [ ] string { hostUUID1 , hostUUID2 } , id )
}
2023-02-22 17:49:06 +00:00
require . Contains ( t , string ( cmd . Raw ) , "com.remove.profile" )
}
2023-03-27 18:43:01 +00:00
switch {
2024-12-20 21:40:23 +00:00
case enqueueFailForOp == fleet . MDMOperationTypeInstall && cmd . Command . Command . RequestType == "InstallProfile" :
2023-03-27 18:43:01 +00:00
return nil , errors . New ( "enqueue error" )
2024-12-20 21:40:23 +00:00
case enqueueFailForOp == fleet . MDMOperationTypeRemove && cmd . Command . Command . RequestType == "RemoveProfile" :
2023-03-27 18:43:01 +00:00
return nil , errors . New ( "enqueue error" )
}
2023-02-22 17:49:06 +00:00
return nil , nil
}
mdmStorage . RetrievePushInfoFunc = func ( ctx context . Context , tokens [ ] string ) ( map [ string ] * mdm . Push , error ) {
res := make ( map [ string ] * mdm . Push , len ( tokens ) )
for _ , t := range tokens {
res [ t ] = & mdm . Push {
PushMagic : "" ,
Token : [ ] byte ( t ) ,
Topic : "" ,
}
}
return res , nil
}
mdmStorage . RetrievePushCertFunc = func ( ctx context . Context , topic string ) ( * tls . Certificate , string , error ) {
cert , err := tls . LoadX509KeyPair ( "testdata/server.pem" , "testdata/server.key" )
return & cert , "" , err
}
mdmStorage . IsPushCertStaleFunc = func ( ctx context . Context , topic string , staleToken string ) ( bool , error ) {
return false , nil
}
2024-10-09 18:47:27 +00:00
mdmStorage . GetAllMDMConfigAssetsByNameFunc = func ( ctx context . Context , assetNames [ ] fleet . MDMAssetName ,
2024-11-05 18:12:22 +00:00
_ sqlx . QueryerContext ,
) ( map [ fleet . MDMAssetName ] fleet . MDMConfigAsset , error ) {
2024-05-30 21:18:42 +00:00
certPEM , err := os . ReadFile ( "./testdata/server.pem" )
require . NoError ( t , err )
keyPEM , err := os . ReadFile ( "./testdata/server.key" )
require . NoError ( t , err )
return map [ fleet . MDMAssetName ] fleet . MDMConfigAsset {
fleet . MDMAssetCACert : { Value : certPEM } ,
fleet . MDMAssetCAKey : { Value : keyPEM } ,
} , nil
}
2023-02-22 17:49:06 +00:00
2023-03-27 18:43:01 +00:00
var failedCall bool
var failedCheck func ( [ ] * fleet . MDMAppleBulkUpsertHostProfilePayload )
2023-02-22 17:49:06 +00:00
ds . BulkUpsertMDMAppleHostProfilesFunc = func ( ctx context . Context , payload [ ] * fleet . MDMAppleBulkUpsertHostProfilePayload ) error {
2023-03-27 18:43:01 +00:00
if failedCall {
failedCheck ( payload )
2023-02-22 17:49:06 +00:00
return nil
}
2023-03-27 18:43:01 +00:00
// next call will be failed call, until reset
failedCall = true
// first time it is called, it is to set the status to pending and all
// host profiles have a command uuid
2023-12-04 15:04:06 +00:00
cmdUUIDByProfileUUIDInstall := make ( map [ string ] string )
cmdUUIDByProfileUUIDRemove := make ( map [ string ] string )
2023-03-27 18:43:01 +00:00
copies := make ( [ ] * fleet . MDMAppleBulkUpsertHostProfilePayload , len ( payload ) )
for i , p := range payload {
2025-07-02 14:54:54 +00:00
// clear the command UUID (in a copy so that it does not affect the
// pointed-to struct) from the payload for the subsequent checks
copyp := * p
copyp . CommandUUID = ""
copies [ i ] = & copyp
// Host with no user enrollment, so install fails
if p . HostUUID == hostUUID2 && p . ProfileUUID == p5 {
continue
}
2023-11-07 21:03:03 +00:00
if p . OperationType == fleet . MDMOperationTypeInstall {
2023-12-04 15:04:06 +00:00
existing , ok := cmdUUIDByProfileUUIDInstall [ p . ProfileUUID ]
2023-03-27 18:43:01 +00:00
if ok {
require . Equal ( t , existing , p . CommandUUID )
} else {
2023-12-04 15:04:06 +00:00
cmdUUIDByProfileUUIDInstall [ p . ProfileUUID ] = p . CommandUUID
2023-03-27 18:43:01 +00:00
}
} else {
2023-11-07 21:03:03 +00:00
require . Equal ( t , fleet . MDMOperationTypeRemove , p . OperationType )
2023-12-04 15:04:06 +00:00
existing , ok := cmdUUIDByProfileUUIDRemove [ p . ProfileUUID ]
2023-03-27 18:43:01 +00:00
if ok {
require . Equal ( t , existing , p . CommandUUID )
} else {
2023-12-04 15:04:06 +00:00
cmdUUIDByProfileUUIDRemove [ p . ProfileUUID ] = p . CommandUUID
2023-03-27 18:43:01 +00:00
}
}
}
2023-02-22 17:49:06 +00:00
require . ElementsMatch ( t , [ ] * fleet . MDMAppleBulkUpsertHostProfilePayload {
{
2023-12-04 15:04:06 +00:00
ProfileUUID : p1 ,
2023-02-22 17:49:06 +00:00
ProfileIdentifier : "com.add.profile" ,
2025-06-16 20:46:38 +00:00
HostUUID : hostUUID1 ,
2023-11-07 21:03:03 +00:00
OperationType : fleet . MDMOperationTypeInstall ,
Status : & fleet . MDMDeliveryPending ,
2025-06-16 20:46:38 +00:00
Scope : fleet . PayloadScopeSystem ,
2023-02-22 17:49:06 +00:00
} ,
{
2023-12-04 15:04:06 +00:00
ProfileUUID : p2 ,
2023-02-22 17:49:06 +00:00
ProfileIdentifier : "com.add.profile.two" ,
2025-06-16 20:46:38 +00:00
HostUUID : hostUUID1 ,
2023-11-07 21:03:03 +00:00
OperationType : fleet . MDMOperationTypeInstall ,
Status : & fleet . MDMDeliveryPending ,
2025-06-16 20:46:38 +00:00
Scope : fleet . PayloadScopeSystem ,
2023-03-27 18:43:01 +00:00
} ,
{
2023-12-04 15:04:06 +00:00
ProfileUUID : p2 ,
2023-03-27 18:43:01 +00:00
ProfileIdentifier : "com.add.profile.two" ,
HostUUID : hostUUID2 ,
2023-11-07 21:03:03 +00:00
OperationType : fleet . MDMOperationTypeInstall ,
Status : & fleet . MDMDeliveryPending ,
2025-06-16 20:46:38 +00:00
Scope : fleet . PayloadScopeSystem ,
2023-02-22 17:49:06 +00:00
} ,
{
2023-12-04 15:04:06 +00:00
ProfileUUID : p3 ,
2023-02-22 17:49:06 +00:00
ProfileIdentifier : "com.remove.profile" ,
2025-06-16 20:46:38 +00:00
HostUUID : hostUUID1 ,
2023-11-07 21:03:03 +00:00
OperationType : fleet . MDMOperationTypeRemove ,
Status : & fleet . MDMDeliveryPending ,
2025-06-16 20:46:38 +00:00
Scope : fleet . PayloadScopeSystem ,
2023-02-22 17:49:06 +00:00
} ,
2023-03-27 18:43:01 +00:00
{
2023-12-04 15:04:06 +00:00
ProfileUUID : p3 ,
2023-03-27 18:43:01 +00:00
ProfileIdentifier : "com.remove.profile" ,
HostUUID : hostUUID2 ,
2023-11-07 21:03:03 +00:00
OperationType : fleet . MDMOperationTypeRemove ,
Status : & fleet . MDMDeliveryPending ,
2025-06-16 20:46:38 +00:00
Scope : fleet . PayloadScopeSystem ,
2023-03-27 18:43:01 +00:00
} ,
{
2023-12-04 15:04:06 +00:00
ProfileUUID : p4 ,
2023-03-27 18:43:01 +00:00
ProfileIdentifier : "com.add.profile.four" ,
HostUUID : hostUUID2 ,
2023-11-07 21:03:03 +00:00
OperationType : fleet . MDMOperationTypeInstall ,
Status : & fleet . MDMDeliveryPending ,
2025-06-16 20:46:38 +00:00
Scope : fleet . PayloadScopeSystem ,
} ,
// This host has a user enrollment so the profile is sent to it
{
ProfileUUID : p5 ,
ProfileIdentifier : "com.add.profile.five" ,
HostUUID : hostUUID1 ,
OperationType : fleet . MDMOperationTypeInstall ,
Status : & fleet . MDMDeliveryPending ,
Scope : fleet . PayloadScopeUser ,
} ,
2025-07-02 14:54:54 +00:00
// This host has no user enrollment so the profile is errored
2025-06-16 20:46:38 +00:00
{
ProfileUUID : p5 ,
ProfileIdentifier : "com.add.profile.five" ,
HostUUID : hostUUID2 ,
OperationType : fleet . MDMOperationTypeInstall ,
2025-07-02 14:54:54 +00:00
Detail : "This setting couldn't be enforced because the user channel doesn't exist for this host. Currently, Fleet creates the user channel for hosts that automatically enroll." ,
Status : & fleet . MDMDeliveryFailed ,
Scope : fleet . PayloadScopeUser ,
2025-06-16 20:46:38 +00:00
} ,
// This host has a user enrollment so the profile is removed from it
{
ProfileUUID : p6 ,
ProfileIdentifier : "com.remove.profile.six" ,
HostUUID : hostUUID1 ,
OperationType : fleet . MDMOperationTypeRemove ,
Status : & fleet . MDMDeliveryPending ,
Scope : fleet . PayloadScopeUser ,
2023-03-27 18:43:01 +00:00
} ,
2025-07-02 14:54:54 +00:00
// Note that host2 has no user enrollment so the profile is not marked for removal
// from it
2023-03-27 18:43:01 +00:00
} , copies )
2023-02-22 17:49:06 +00:00
return nil
}
2023-04-04 20:09:20 +00:00
ds . AppConfigFunc = func ( ctx context . Context ) ( * fleet . AppConfig , error ) {
appCfg := & fleet . AppConfig { }
appCfg . ServerSettings . ServerURL = "https://test.example.com"
2023-11-30 12:17:07 +00:00
appCfg . MDM . EnabledAndConfigured = true
2023-04-04 20:09:20 +00:00
return appCfg , nil
}
2025-09-04 16:39:41 +00:00
ds . GetGroupedCertificateAuthoritiesFunc = func ( ctx context . Context , includeSecrets bool ) ( * fleet . GroupedCertificateAuthorities , error ) {
return & fleet . GroupedCertificateAuthorities { } , nil
}
2023-04-04 20:09:20 +00:00
ds . BulkUpsertMDMAppleConfigProfilesFunc = func ( ctx context . Context , p [ ] * fleet . MDMAppleConfigProfile ) error {
return nil
}
ds . AggregateEnrollSecretPerTeamFunc = func ( ctx context . Context ) ( [ ] * fleet . EnrollSecret , error ) {
return [ ] * fleet . EnrollSecret { } , nil
}
2023-03-27 18:43:01 +00:00
checkAndReset := func ( t * testing . T , want bool , invoked * bool ) {
if want {
2024-10-09 18:47:27 +00:00
assert . True ( t , * invoked )
2023-03-27 18:43:01 +00:00
} else {
2024-10-09 18:47:27 +00:00
assert . False ( t , * invoked )
2023-03-27 18:43:01 +00:00
}
* invoked = false
}
t . Run ( "success" , func ( t * testing . T ) {
var failedCount int
failedCall = false
failedCheck = func ( payload [ ] * fleet . MDMAppleBulkUpsertHostProfilePayload ) {
failedCount ++
require . Len ( t , payload , 0 )
}
2024-05-30 21:18:42 +00:00
err := ReconcileAppleProfiles ( ctx , ds , cmdr , kitlog . NewNopLogger ( ) )
2023-03-27 18:43:01 +00:00
require . NoError ( t , err )
require . Equal ( t , 1 , failedCount )
Add Read-only Transaction to fetch profiles to install and remove all at once (#32737)
Speculative fix for #30915
For why this is needed, see
https://github.com/fleetdm/fleet/issues/30915#issuecomment-3259641371
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Improved reliability of Apple device profile installation and removal
by performing coordinated, read-only transactional reads. Reduces race
conditions and intermittent discrepancies during profile syncs, leading
to more consistent outcomes across fleets.
* **Tests**
* Added tests to verify the combined install/remove results remain
consistent with the individual lists, ensuring accurate and stable
behavior under various state changes.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2025-09-10 13:29:04 +00:00
checkAndReset ( t , true , & ds . ListMDMAppleProfilesToInstallAndRemoveFuncInvoked )
2023-03-27 18:43:01 +00:00
checkAndReset ( t , true , & ds . GetMDMAppleProfilesContentsFuncInvoked )
checkAndReset ( t , true , & ds . BulkUpsertMDMAppleHostProfilesFuncInvoked )
2025-06-16 20:46:38 +00:00
checkAndReset ( t , true , & ds . GetNanoMDMUserEnrollmentFuncInvoked )
2023-03-27 18:43:01 +00:00
} )
t . Run ( "fail enqueue remove ops" , func ( t * testing . T ) {
var failedCount int
failedCall = false
failedCheck = func ( payload [ ] * fleet . MDMAppleBulkUpsertHostProfilePayload ) {
failedCount ++
2025-06-16 20:46:38 +00:00
require . Len ( t , payload , 3 ) // the 3 remove ops
2023-03-27 18:43:01 +00:00
require . ElementsMatch ( t , [ ] * fleet . MDMAppleBulkUpsertHostProfilePayload {
{
2023-12-04 15:04:06 +00:00
ProfileUUID : p3 ,
2023-03-27 18:43:01 +00:00
ProfileIdentifier : "com.remove.profile" ,
2025-06-16 20:46:38 +00:00
HostUUID : hostUUID1 ,
2023-11-07 21:03:03 +00:00
OperationType : fleet . MDMOperationTypeRemove ,
2023-03-27 18:43:01 +00:00
Status : nil ,
CommandUUID : "" ,
2025-06-16 20:46:38 +00:00
Scope : fleet . PayloadScopeSystem ,
2023-03-27 18:43:01 +00:00
} ,
{
2023-12-04 15:04:06 +00:00
ProfileUUID : p3 ,
2023-03-27 18:43:01 +00:00
ProfileIdentifier : "com.remove.profile" ,
HostUUID : hostUUID2 ,
2023-11-07 21:03:03 +00:00
OperationType : fleet . MDMOperationTypeRemove ,
2023-03-27 18:43:01 +00:00
Status : nil ,
CommandUUID : "" ,
2025-06-16 20:46:38 +00:00
Scope : fleet . PayloadScopeSystem ,
} ,
{
ProfileUUID : p6 ,
ProfileIdentifier : "com.remove.profile.six" ,
HostUUID : hostUUID1 ,
OperationType : fleet . MDMOperationTypeRemove ,
Status : nil ,
CommandUUID : "" ,
Scope : fleet . PayloadScopeUser ,
2023-03-27 18:43:01 +00:00
} ,
} , payload )
}
2023-11-07 21:03:03 +00:00
enqueueFailForOp = fleet . MDMOperationTypeRemove
2024-05-30 21:18:42 +00:00
err := ReconcileAppleProfiles ( ctx , ds , cmdr , kitlog . NewNopLogger ( ) )
2023-03-27 18:43:01 +00:00
require . NoError ( t , err )
require . Equal ( t , 1 , failedCount )
Add Read-only Transaction to fetch profiles to install and remove all at once (#32737)
Speculative fix for #30915
For why this is needed, see
https://github.com/fleetdm/fleet/issues/30915#issuecomment-3259641371
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Improved reliability of Apple device profile installation and removal
by performing coordinated, read-only transactional reads. Reduces race
conditions and intermittent discrepancies during profile syncs, leading
to more consistent outcomes across fleets.
* **Tests**
* Added tests to verify the combined install/remove results remain
consistent with the individual lists, ensuring accurate and stable
behavior under various state changes.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2025-09-10 13:29:04 +00:00
checkAndReset ( t , true , & ds . ListMDMAppleProfilesToInstallAndRemoveFuncInvoked )
2023-03-27 18:43:01 +00:00
checkAndReset ( t , true , & ds . GetMDMAppleProfilesContentsFuncInvoked )
checkAndReset ( t , true , & ds . BulkUpsertMDMAppleHostProfilesFuncInvoked )
2025-06-16 20:46:38 +00:00
checkAndReset ( t , true , & ds . GetNanoMDMUserEnrollmentFuncInvoked )
2023-03-27 18:43:01 +00:00
} )
t . Run ( "fail enqueue install ops" , func ( t * testing . T ) {
var failedCount int
failedCall = false
failedCheck = func ( payload [ ] * fleet . MDMAppleBulkUpsertHostProfilePayload ) {
failedCount ++
2025-07-02 14:54:54 +00:00
require . Len ( t , payload , 5 ) // the 5 install ops
2023-03-27 18:43:01 +00:00
require . ElementsMatch ( t , [ ] * fleet . MDMAppleBulkUpsertHostProfilePayload {
{
2023-12-04 15:04:06 +00:00
ProfileUUID : p1 ,
2023-03-27 18:43:01 +00:00
ProfileIdentifier : "com.add.profile" ,
2025-06-16 20:46:38 +00:00
HostUUID : hostUUID1 , OperationType : fleet . MDMOperationTypeInstall ,
Status : nil ,
CommandUUID : "" ,
Scope : fleet . PayloadScopeSystem ,
2023-03-27 18:43:01 +00:00
} ,
{
2023-12-04 15:04:06 +00:00
ProfileUUID : p2 ,
2023-03-27 18:43:01 +00:00
ProfileIdentifier : "com.add.profile.two" ,
2025-06-16 20:46:38 +00:00
HostUUID : hostUUID1 , OperationType : fleet . MDMOperationTypeInstall ,
Status : nil ,
CommandUUID : "" ,
Scope : fleet . PayloadScopeSystem ,
2023-03-27 18:43:01 +00:00
} ,
{
2023-12-04 15:04:06 +00:00
ProfileUUID : p2 ,
2023-03-27 18:43:01 +00:00
ProfileIdentifier : "com.add.profile.two" ,
HostUUID : hostUUID2 ,
2023-11-07 21:03:03 +00:00
OperationType : fleet . MDMOperationTypeInstall ,
2023-03-27 18:43:01 +00:00
Status : nil ,
CommandUUID : "" ,
2025-06-16 20:46:38 +00:00
Scope : fleet . PayloadScopeSystem ,
2023-03-27 18:43:01 +00:00
} ,
{
2023-12-04 15:04:06 +00:00
ProfileUUID : p4 ,
2023-03-27 18:43:01 +00:00
ProfileIdentifier : "com.add.profile.four" ,
HostUUID : hostUUID2 ,
2023-11-07 21:03:03 +00:00
OperationType : fleet . MDMOperationTypeInstall ,
2023-03-27 18:43:01 +00:00
Status : nil ,
CommandUUID : "" ,
2025-06-16 20:46:38 +00:00
Scope : fleet . PayloadScopeSystem ,
} ,
{
ProfileUUID : p5 ,
ProfileIdentifier : "com.add.profile.five" ,
HostUUID : hostUUID1 ,
OperationType : fleet . MDMOperationTypeInstall ,
Status : nil ,
CommandUUID : "" ,
Scope : fleet . PayloadScopeUser ,
} ,
2023-03-27 18:43:01 +00:00
} , payload )
}
2023-11-07 21:03:03 +00:00
enqueueFailForOp = fleet . MDMOperationTypeInstall
2024-05-30 21:18:42 +00:00
err := ReconcileAppleProfiles ( ctx , ds , cmdr , kitlog . NewNopLogger ( ) )
2023-03-27 18:43:01 +00:00
require . NoError ( t , err )
require . Equal ( t , 1 , failedCount )
Add Read-only Transaction to fetch profiles to install and remove all at once (#32737)
Speculative fix for #30915
For why this is needed, see
https://github.com/fleetdm/fleet/issues/30915#issuecomment-3259641371
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Improved reliability of Apple device profile installation and removal
by performing coordinated, read-only transactional reads. Reduces race
conditions and intermittent discrepancies during profile syncs, leading
to more consistent outcomes across fleets.
* **Tests**
* Added tests to verify the combined install/remove results remain
consistent with the individual lists, ensuring accurate and stable
behavior under various state changes.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2025-09-10 13:29:04 +00:00
checkAndReset ( t , true , & ds . ListMDMAppleProfilesToInstallAndRemoveFuncInvoked )
2023-03-27 18:43:01 +00:00
checkAndReset ( t , true , & ds . GetMDMAppleProfilesContentsFuncInvoked )
checkAndReset ( t , true , & ds . BulkUpsertMDMAppleHostProfilesFuncInvoked )
2025-06-16 20:46:38 +00:00
checkAndReset ( t , true , & ds . GetNanoMDMUserEnrollmentFuncInvoked )
2023-03-27 18:43:01 +00:00
} )
2024-10-09 18:47:27 +00:00
// Zero profiles to remove
Add Read-only Transaction to fetch profiles to install and remove all at once (#32737)
Speculative fix for #30915
For why this is needed, see
https://github.com/fleetdm/fleet/issues/30915#issuecomment-3259641371
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Improved reliability of Apple device profile installation and removal
by performing coordinated, read-only transactional reads. Reduces race
conditions and intermittent discrepancies during profile syncs, leading
to more consistent outcomes across fleets.
* **Tests**
* Added tests to verify the combined install/remove results remain
consistent with the individual lists, ensuring accurate and stable
behavior under various state changes.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2025-09-10 13:29:04 +00:00
ds . ListMDMAppleProfilesToInstallAndRemoveFunc = func ( ctx context . Context ) ( [ ] * fleet . MDMAppleProfilePayload , [ ] * fleet . MDMAppleProfilePayload , error ) {
return baseProfilesToInstall , nil , nil
2024-10-09 18:47:27 +00:00
}
2025-07-02 14:54:54 +00:00
ds . BulkDeleteMDMAppleHostsConfigProfilesFunc = func ( ctx context . Context , payload [ ] * fleet . MDMAppleProfilePayload ) error {
require . Empty ( t , payload )
return nil
}
2024-10-09 18:47:27 +00:00
ds . BulkUpsertMDMAppleHostProfilesFunc = func ( ctx context . Context , payload [ ] * fleet . MDMAppleBulkUpsertHostProfilePayload ) error {
if failedCall {
failedCheck ( payload )
return nil
}
// next call will be failed call, until reset
failedCall = true
// first time it is called, it is to set the status to pending and all
// host profiles have a command uuid
cmdUUIDByProfileUUIDInstall := make ( map [ string ] string )
cmdUUIDByProfileUUIDRemove := make ( map [ string ] string )
copies := make ( [ ] * fleet . MDMAppleBulkUpsertHostProfilePayload , len ( payload ) )
for i , p := range payload {
2025-07-02 14:54:54 +00:00
// clear the command UUID (in a copy so that it does not affect the
// pointed-to struct) from the payload for the subsequent checks
copyp := * p
copyp . CommandUUID = ""
copies [ i ] = & copyp
// Host with no user enrollment, so install fails
if p . HostUUID == hostUUID2 && p . ProfileUUID == p5 {
continue
}
2024-10-09 18:47:27 +00:00
if p . OperationType == fleet . MDMOperationTypeInstall {
existing , ok := cmdUUIDByProfileUUIDInstall [ p . ProfileUUID ]
if ok {
require . Equal ( t , existing , p . CommandUUID )
} else {
cmdUUIDByProfileUUIDInstall [ p . ProfileUUID ] = p . CommandUUID
}
} else {
require . Equal ( t , fleet . MDMOperationTypeRemove , p . OperationType )
existing , ok := cmdUUIDByProfileUUIDRemove [ p . ProfileUUID ]
if ok {
require . Equal ( t , existing , p . CommandUUID )
} else {
cmdUUIDByProfileUUIDRemove [ p . ProfileUUID ] = p . CommandUUID
}
}
}
require . ElementsMatch ( t , [ ] * fleet . MDMAppleBulkUpsertHostProfilePayload {
{
ProfileUUID : p1 ,
ProfileIdentifier : "com.add.profile" ,
2025-06-16 20:46:38 +00:00
HostUUID : hostUUID1 ,
2024-10-09 18:47:27 +00:00
OperationType : fleet . MDMOperationTypeInstall ,
Status : & fleet . MDMDeliveryPending ,
2025-06-16 20:46:38 +00:00
Scope : fleet . PayloadScopeSystem ,
2024-10-09 18:47:27 +00:00
} ,
{
ProfileUUID : p2 ,
ProfileIdentifier : "com.add.profile.two" ,
2025-06-16 20:46:38 +00:00
HostUUID : hostUUID1 ,
2024-10-09 18:47:27 +00:00
OperationType : fleet . MDMOperationTypeInstall ,
Status : & fleet . MDMDeliveryPending ,
2025-06-16 20:46:38 +00:00
Scope : fleet . PayloadScopeSystem ,
2024-10-09 18:47:27 +00:00
} ,
{
ProfileUUID : p2 ,
ProfileIdentifier : "com.add.profile.two" ,
HostUUID : hostUUID2 ,
OperationType : fleet . MDMOperationTypeInstall ,
Status : & fleet . MDMDeliveryPending ,
2025-06-16 20:46:38 +00:00
Scope : fleet . PayloadScopeSystem ,
2024-10-09 18:47:27 +00:00
} ,
{
ProfileUUID : p4 ,
ProfileIdentifier : "com.add.profile.four" ,
HostUUID : hostUUID2 ,
OperationType : fleet . MDMOperationTypeInstall ,
Status : & fleet . MDMDeliveryPending ,
2025-06-16 20:46:38 +00:00
Scope : fleet . PayloadScopeSystem ,
} ,
{
ProfileUUID : p5 ,
ProfileIdentifier : "com.add.profile.five" ,
HostUUID : hostUUID1 ,
OperationType : fleet . MDMOperationTypeInstall ,
Status : & fleet . MDMDeliveryPending ,
Scope : fleet . PayloadScopeUser ,
} ,
// This host has no user enrollment so the profile is sent to the device enrollment
{
ProfileUUID : p5 ,
ProfileIdentifier : "com.add.profile.five" ,
HostUUID : hostUUID2 ,
OperationType : fleet . MDMOperationTypeInstall ,
2025-07-02 14:54:54 +00:00
Status : & fleet . MDMDeliveryFailed ,
Detail : "This setting couldn't be enforced because the user channel doesn't exist for this host. Currently, Fleet creates the user channel for hosts that automatically enroll." ,
Scope : fleet . PayloadScopeUser ,
2024-10-09 18:47:27 +00:00
} ,
} , copies )
return nil
}
ds . AppConfigFunc = func ( ctx context . Context ) ( * fleet . AppConfig , error ) {
appCfg := & fleet . AppConfig { }
appCfg . ServerSettings . ServerURL = "https://test.example.com"
appCfg . MDM . EnabledAndConfigured = true
return appCfg , nil
}
2025-09-04 16:39:41 +00:00
// TODO(hca): Mock this to enable NDES?
// ds.GetAllCertificateAuthoritiesFunc = func(ctx context.Context, includeSecrets bool) ([]*fleet.CertificateAuthority, error) {
// return []*fleet.CertificateAuthority{}, nil
// }
2024-10-09 18:47:27 +00:00
ctx = license . NewContext ( ctx , & fleet . LicenseInfo { Tier : fleet . TierPremium } )
2025-04-30 19:31:45 +00:00
ds . BulkUpsertMDMManagedCertificatesFunc = func ( ctx context . Context , payload [ ] * fleet . MDMManagedCertificate ) error {
2024-10-11 14:20:19 +00:00
assert . Empty ( t , payload )
return nil
}
2024-10-09 18:47:27 +00:00
2025-09-04 16:39:41 +00:00
// TODO(hca): ask Magnus where/how new tests cover the CA portion of this test
2025-08-10 10:24:38 +00:00
t . Run ( "replace $FLEET_VAR_" + string ( fleet . FleetVarNDESSCEPProxyURL ) , func ( t * testing . T ) {
2024-10-14 20:11:34 +00:00
var upsertCount int
2024-10-09 18:47:27 +00:00
failedCall = false
failedCheck = func ( payload [ ] * fleet . MDMAppleBulkUpsertHostProfilePayload ) {
2024-10-14 20:11:34 +00:00
upsertCount ++
if upsertCount == 1 {
// We update the profile with a new command UUID
assert . Len ( t , payload , 1 , "at upsertCount %d" , upsertCount )
} else {
assert . Len ( t , payload , 0 , "at upsertCount %d" , upsertCount )
}
2024-10-09 18:47:27 +00:00
}
enqueueFailForOp = ""
2025-04-29 18:35:37 +00:00
newContents := "$FLEET_VAR_" + fleet . FleetVarNDESSCEPProxyURL
2024-10-09 18:47:27 +00:00
originalContents1 := contents1
originalExpectedContents1 := expectedContents1
contents1 = [ ] byte ( newContents )
2025-06-16 20:46:38 +00:00
expectedContents1 = [ ] byte ( "https://test.example.com" + apple_mdm . SCEPProxyPath + url . QueryEscape ( fmt . Sprintf ( "%s,%s,NDES" , hostUUID1 , p1 ) ) )
2024-10-09 18:47:27 +00:00
t . Cleanup ( func ( ) {
contents1 = originalContents1
expectedContents1 = originalExpectedContents1
} )
err := ReconcileAppleProfiles ( ctx , ds , cmdr , kitlog . NewNopLogger ( ) )
require . NoError ( t , err )
2024-10-14 20:11:34 +00:00
assert . Equal ( t , 2 , upsertCount )
2025-09-04 16:39:41 +00:00
// checkAndReset(t, true, &ds.GetAllCertificateAuthoritiesFuncInvoked)
Add Read-only Transaction to fetch profiles to install and remove all at once (#32737)
Speculative fix for #30915
For why this is needed, see
https://github.com/fleetdm/fleet/issues/30915#issuecomment-3259641371
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Improved reliability of Apple device profile installation and removal
by performing coordinated, read-only transactional reads. Reduces race
conditions and intermittent discrepancies during profile syncs, leading
to more consistent outcomes across fleets.
* **Tests**
* Added tests to verify the combined install/remove results remain
consistent with the individual lists, ensuring accurate and stable
behavior under various state changes.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2025-09-10 13:29:04 +00:00
checkAndReset ( t , true , & ds . ListMDMAppleProfilesToInstallAndRemoveFuncInvoked )
2024-10-09 18:47:27 +00:00
checkAndReset ( t , true , & ds . GetMDMAppleProfilesContentsFuncInvoked )
checkAndReset ( t , true , & ds . BulkUpsertMDMAppleHostProfilesFuncInvoked )
2025-06-16 20:46:38 +00:00
checkAndReset ( t , true , & ds . GetNanoMDMUserEnrollmentFuncInvoked )
2024-10-09 18:47:27 +00:00
} )
2025-09-04 16:39:41 +00:00
// TODO(hca): ask Magnus where/how new tests cover the CA portion of this test
2025-08-10 10:24:38 +00:00
t . Run ( "preprocessor fails on $FLEET_VAR_" + string ( fleet . FleetVarHostEndUserEmailIDP ) , func ( t * testing . T ) {
2024-10-09 18:47:27 +00:00
var failedCount int
failedCall = false
failedCheck = func ( payload [ ] * fleet . MDMAppleBulkUpsertHostProfilePayload ) {
failedCount ++
require . Len ( t , payload , 0 )
}
enqueueFailForOp = ""
2025-04-29 18:35:37 +00:00
newContents := "$FLEET_VAR_" + fleet . FleetVarHostEndUserEmailIDP
2024-10-09 18:47:27 +00:00
originalContents1 := contents1
contents1 = [ ] byte ( newContents )
t . Cleanup ( func ( ) {
contents1 = originalContents1
} )
ds . GetHostEmailsFunc = func ( ctx context . Context , hostUUID string , source string ) ( [ ] string , error ) {
return nil , errors . New ( "GetHostEmailsFuncError" )
}
err := ReconcileAppleProfiles ( ctx , ds , cmdr , kitlog . NewNopLogger ( ) )
assert . ErrorContains ( t , err , "GetHostEmailsFuncError" )
2025-09-04 16:39:41 +00:00
// checkAndReset(t, true, &ds.GetAllCertificateAuthoritiesFuncInvoked)
Add Read-only Transaction to fetch profiles to install and remove all at once (#32737)
Speculative fix for #30915
For why this is needed, see
https://github.com/fleetdm/fleet/issues/30915#issuecomment-3259641371
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Improved reliability of Apple device profile installation and removal
by performing coordinated, read-only transactional reads. Reduces race
conditions and intermittent discrepancies during profile syncs, leading
to more consistent outcomes across fleets.
* **Tests**
* Added tests to verify the combined install/remove results remain
consistent with the individual lists, ensuring accurate and stable
behavior under various state changes.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2025-09-10 13:29:04 +00:00
checkAndReset ( t , true , & ds . ListMDMAppleProfilesToInstallAndRemoveFuncInvoked )
2024-10-09 18:47:27 +00:00
checkAndReset ( t , true , & ds . GetMDMAppleProfilesContentsFuncInvoked )
checkAndReset ( t , true , & ds . BulkUpsertMDMAppleHostProfilesFuncInvoked )
2025-06-16 20:46:38 +00:00
checkAndReset ( t , true , & ds . GetNanoMDMUserEnrollmentFuncInvoked )
2024-10-09 18:47:27 +00:00
} )
2025-09-04 16:39:41 +00:00
// TODO(hca): ask Magnus where/how new tests cover the CA portion of this test
2024-10-09 18:47:27 +00:00
t . Run ( "bad $FLEET_VAR" , func ( t * testing . T ) {
var failedCount int
failedCall = false
var hostUUIDs [ ] string
failedCheck = func ( payload [ ] * fleet . MDMAppleBulkUpsertHostProfilePayload ) {
if len ( payload ) > 0 {
failedCount ++
}
for _ , p := range payload {
assert . Equal ( t , fleet . MDMDeliveryFailed , * p . Status )
assert . Contains ( t , p . Detail , "FLEET_VAR_BOZO" )
for i , hu := range hostUUIDs {
if hu == p . HostUUID {
// remove element
hostUUIDs = append ( hostUUIDs [ : i ] , hostUUIDs [ i + 1 : ] ... )
break
}
}
}
}
enqueueFailForOp = ""
// All profiles will have bad contents
badContents := "bad-content: $FLEET_VAR_BOZO"
originalContents1 := contents1
originalContents2 := contents2
originalContents4 := contents4
2025-06-16 20:46:38 +00:00
originalContents5 := contents5
2024-10-09 18:47:27 +00:00
contents1 = [ ] byte ( badContents )
contents2 = [ ] byte ( badContents )
contents4 = [ ] byte ( badContents )
2025-06-16 20:46:38 +00:00
contents5 = [ ] byte ( badContents )
2024-10-09 18:47:27 +00:00
t . Cleanup ( func ( ) {
contents1 = originalContents1
contents2 = originalContents2
contents4 = originalContents4
2025-06-16 20:46:38 +00:00
contents5 = originalContents5
2024-10-09 18:47:27 +00:00
} )
Add Read-only Transaction to fetch profiles to install and remove all at once (#32737)
Speculative fix for #30915
For why this is needed, see
https://github.com/fleetdm/fleet/issues/30915#issuecomment-3259641371
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Improved reliability of Apple device profile installation and removal
by performing coordinated, read-only transactional reads. Reduces race
conditions and intermittent discrepancies during profile syncs, leading
to more consistent outcomes across fleets.
* **Tests**
* Added tests to verify the combined install/remove results remain
consistent with the individual lists, ensuring accurate and stable
behavior under various state changes.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2025-09-10 13:29:04 +00:00
profilesToInstall , _ , _ := ds . ListMDMAppleProfilesToInstallAndRemoveFunc ( ctx )
2024-10-09 18:47:27 +00:00
hostUUIDs = make ( [ ] string , 0 , len ( profilesToInstall ) )
for _ , p := range profilesToInstall {
2025-07-02 14:54:54 +00:00
// This host will error before this point - should not be updated by the variable failure
if p . HostUUID == hostUUID2 && p . ProfileUUID == p5 {
continue
}
2024-10-09 18:47:27 +00:00
hostUUIDs = append ( hostUUIDs , p . HostUUID )
}
err := ReconcileAppleProfiles ( ctx , ds , cmdr , kitlog . NewNopLogger ( ) )
require . NoError ( t , err )
assert . Empty ( t , hostUUIDs , "all host+profile combinations should be updated" )
2025-06-16 20:46:38 +00:00
require . Equal ( t , 4 , failedCount , "number of profiles with bad content" )
2025-09-04 16:39:41 +00:00
// checkAndReset(t, true, &ds.GetAllCertificateAuthoritiesFuncInvoked)
Add Read-only Transaction to fetch profiles to install and remove all at once (#32737)
Speculative fix for #30915
For why this is needed, see
https://github.com/fleetdm/fleet/issues/30915#issuecomment-3259641371
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Improved reliability of Apple device profile installation and removal
by performing coordinated, read-only transactional reads. Reduces race
conditions and intermittent discrepancies during profile syncs, leading
to more consistent outcomes across fleets.
* **Tests**
* Added tests to verify the combined install/remove results remain
consistent with the individual lists, ensuring accurate and stable
behavior under various state changes.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2025-09-10 13:29:04 +00:00
checkAndReset ( t , true , & ds . ListMDMAppleProfilesToInstallAndRemoveFuncInvoked )
2024-10-09 18:47:27 +00:00
checkAndReset ( t , true , & ds . GetMDMAppleProfilesContentsFuncInvoked )
checkAndReset ( t , true , & ds . BulkUpsertMDMAppleHostProfilesFuncInvoked )
2025-06-16 20:46:38 +00:00
checkAndReset ( t , true , & ds . GetNanoMDMUserEnrollmentFuncInvoked )
2024-10-09 18:47:27 +00:00
// Check that individual updates were not done (bulk update should be done)
checkAndReset ( t , false , & ds . UpdateOrDeleteHostMDMAppleProfileFuncInvoked )
} )
}
func TestPreprocessProfileContents ( t * testing . T ) {
ctx := context . Background ( )
2025-03-10 18:02:49 +00:00
logger := kitlog . NewNopLogger ( )
2024-10-09 18:47:27 +00:00
appCfg := & fleet . AppConfig { }
appCfg . ServerSettings . ServerURL = "https://test.example.com"
appCfg . MDM . EnabledAndConfigured = true
2025-09-04 16:39:41 +00:00
// appCfg.Integrations.NDESSCEPProxy.Valid = true
2024-10-09 18:47:27 +00:00
ds := new ( mock . Store )
// No-op
2025-03-14 17:16:51 +00:00
svc := eeservice . NewSCEPConfigService ( logger , nil )
2025-03-20 16:36:00 +00:00
digiCertService := digicert . NewService ( digicert . WithLogger ( logger ) )
2025-09-04 16:39:41 +00:00
err := preprocessProfileContents ( ctx , appCfg , ds , svc , digiCertService , logger , nil , nil , nil , nil , nil )
2024-10-09 18:47:27 +00:00
require . NoError ( t , err )
hostUUID := "host-1"
cmdUUID := "cmd-1"
var targets map [ string ] * cmdTarget
populateTargets := func ( ) {
targets = map [ string ] * cmdTarget {
2025-06-16 20:46:38 +00:00
"p1" : { cmdUUID : cmdUUID , profIdent : "com.add.profile" , enrollmentIDs : [ ] string { hostUUID } } ,
2024-10-09 18:47:27 +00:00
}
}
hostProfilesToInstallMap := make ( map [ hostProfileUUID ] * fleet . MDMAppleBulkUpsertHostProfilePayload , 1 )
hostProfilesToInstallMap [ hostProfileUUID { HostUUID : hostUUID , ProfileUUID : "p1" } ] = & fleet . MDMAppleBulkUpsertHostProfilePayload {
ProfileUUID : "p1" ,
ProfileIdentifier : "com.add.profile" ,
HostUUID : hostUUID ,
OperationType : fleet . MDMOperationTypeInstall ,
Status : & fleet . MDMDeliveryPending ,
CommandUUID : cmdUUID ,
2025-06-16 20:46:38 +00:00
Scope : fleet . PayloadScopeSystem ,
2024-10-09 18:47:27 +00:00
}
2025-06-16 20:46:38 +00:00
userEnrollmentsToHostUUIDsMap := make ( map [ string ] string )
2024-10-09 18:47:27 +00:00
populateTargets ( )
profileContents := map [ string ] mobileconfig . Mobileconfig {
2025-04-29 18:35:37 +00:00
"p1" : [ ] byte ( "$FLEET_VAR_" + fleet . FleetVarNDESSCEPProxyURL ) ,
2024-10-09 18:47:27 +00:00
}
var updatedPayload * fleet . MDMAppleBulkUpsertHostProfilePayload
ds . BulkUpsertMDMAppleHostProfilesFunc = func ( ctx context . Context , payload [ ] * fleet . MDMAppleBulkUpsertHostProfilePayload ) error {
require . Len ( t , payload , 1 )
updatedPayload = payload [ 0 ]
for _ , p := range payload {
require . NotNil ( t , p . Status )
assert . Equal ( t , fleet . MDMDeliveryFailed , * p . Status )
assert . Equal ( t , cmdUUID , p . CommandUUID )
assert . Equal ( t , hostUUID , p . HostUUID )
assert . Equal ( t , fleet . MDMOperationTypeInstall , p . OperationType )
2025-06-16 20:46:38 +00:00
assert . Equal ( t , fleet . PayloadScopeSystem , p . Scope )
2024-10-09 18:47:27 +00:00
}
return nil
}
// Can't use NDES SCEP proxy with free tier
ctx = license . NewContext ( ctx , & fleet . LicenseInfo { Tier : fleet . TierFree } )
2025-09-04 16:39:41 +00:00
err = preprocessProfileContents ( ctx , appCfg , ds , svc , digiCertService , logger , targets , profileContents , hostProfilesToInstallMap , userEnrollmentsToHostUUIDsMap , nil )
2024-10-09 18:47:27 +00:00
require . NoError ( t , err )
require . NotNil ( t , updatedPayload )
assert . Contains ( t , updatedPayload . Detail , "Premium license" )
assert . Empty ( t , targets )
// Can't use NDES SCEP proxy without it being configured
ctx = license . NewContext ( ctx , & fleet . LicenseInfo { Tier : fleet . TierPremium } )
2025-09-04 16:39:41 +00:00
// appCfg.Integrations.NDESSCEPProxy.Valid = false
2024-10-09 18:47:27 +00:00
updatedPayload = nil
populateTargets ( )
2025-09-04 16:39:41 +00:00
err = preprocessProfileContents ( ctx , appCfg , ds , svc , digiCertService , logger , targets , profileContents , hostProfilesToInstallMap , userEnrollmentsToHostUUIDsMap , & fleet . GroupedCertificateAuthorities { } )
2024-10-09 18:47:27 +00:00
require . NoError ( t , err )
require . NotNil ( t , updatedPayload )
assert . Contains ( t , updatedPayload . Detail , "not configured" )
2025-05-13 21:22:27 +00:00
assert . NotNil ( t , updatedPayload . VariablesUpdatedAt )
2024-10-09 18:47:27 +00:00
assert . Empty ( t , targets )
// Unknown variable
profileContents = map [ string ] mobileconfig . Mobileconfig {
"p1" : [ ] byte ( "$FLEET_VAR_BOZO" ) ,
}
2025-09-04 16:39:41 +00:00
// appCfg.Integrations.NDESSCEPProxy.Valid = true
2024-10-09 18:47:27 +00:00
updatedPayload = nil
populateTargets ( )
2025-09-04 16:39:41 +00:00
err = preprocessProfileContents ( ctx , appCfg , ds , svc , digiCertService , logger , targets , profileContents , hostProfilesToInstallMap , userEnrollmentsToHostUUIDsMap , nil )
2024-10-09 18:47:27 +00:00
require . NoError ( t , err )
require . NotNil ( t , updatedPayload )
assert . Contains ( t , updatedPayload . Detail , "FLEET_VAR_BOZO" )
assert . Empty ( t , targets )
ndesPassword := "test-password"
ds . GetAllMDMConfigAssetsByNameFunc = func ( ctx context . Context ,
2024-11-05 18:12:22 +00:00
assetNames [ ] fleet . MDMAssetName , _ sqlx . QueryerContext ,
) ( map [ fleet . MDMAssetName ] fleet . MDMConfigAsset , error ) {
2024-10-09 18:47:27 +00:00
return map [ fleet . MDMAssetName ] fleet . MDMConfigAsset {
fleet . MDMAssetNDESPassword : { Value : [ ] byte ( ndesPassword ) } ,
} , nil
}
ds . BulkUpsertMDMAppleHostProfilesFunc = nil
var updatedProfile * fleet . HostMDMAppleProfile
ds . UpdateOrDeleteHostMDMAppleProfileFunc = func ( ctx context . Context , profile * fleet . HostMDMAppleProfile ) error {
updatedProfile = profile
require . NotNil ( t , updatedProfile . Status )
assert . Equal ( t , fleet . MDMDeliveryFailed , * updatedProfile . Status )
assert . Equal ( t , cmdUUID , updatedProfile . CommandUUID )
assert . Equal ( t , hostUUID , updatedProfile . HostUUID )
assert . Equal ( t , fleet . MDMOperationTypeInstall , updatedProfile . OperationType )
return nil
}
2025-04-30 19:31:45 +00:00
ds . BulkUpsertMDMManagedCertificatesFunc = func ( ctx context . Context , payload [ ] * fleet . MDMManagedCertificate ) error {
2024-10-11 14:20:19 +00:00
assert . Empty ( t , payload )
return nil
}
2024-10-09 18:47:27 +00:00
2025-09-04 16:39:41 +00:00
adminUrl := "https://example.com"
username := "admin"
password := "test-password"
groupedCAs := & fleet . GroupedCertificateAuthorities {
NDESSCEP : & fleet . NDESSCEPProxyCA {
URL : "https://test-example.com" ,
AdminURL : adminUrl ,
Username : username ,
Password : password ,
} ,
}
2024-10-09 18:47:27 +00:00
// Could not get NDES SCEP challenge
profileContents = map [ string ] mobileconfig . Mobileconfig {
2025-04-29 18:35:37 +00:00
"p1" : [ ] byte ( "$FLEET_VAR_" + fleet . FleetVarNDESSCEPChallenge ) ,
2024-10-09 18:47:27 +00:00
}
2025-03-14 17:16:51 +00:00
scepConfig := & scep_mock . SCEPConfigService { }
2025-09-04 16:39:41 +00:00
scepConfig . GetNDESSCEPChallengeFunc = func ( ctx context . Context , proxy fleet . NDESSCEPProxyCA ) ( string , error ) {
2024-10-09 18:47:27 +00:00
assert . Equal ( t , ndesPassword , proxy . Password )
return "" , eeservice . NewNDESInvalidError ( "NDES error" )
}
updatedProfile = nil
populateTargets ( )
2024-10-14 20:11:34 +00:00
ds . BulkUpsertMDMAppleHostProfilesFunc = func ( ctx context . Context , payload [ ] * fleet . MDMAppleBulkUpsertHostProfilePayload ) error {
2024-11-04 21:44:52 +00:00
assert . Empty ( t , payload ) // no profiles to update since FLEET VAR could not be populated
2024-10-14 20:11:34 +00:00
return nil
}
2025-09-04 16:39:41 +00:00
err = preprocessProfileContents ( ctx , appCfg , ds , scepConfig , digiCertService , logger , targets , profileContents , hostProfilesToInstallMap , userEnrollmentsToHostUUIDsMap , groupedCAs )
2024-10-09 18:47:27 +00:00
require . NoError ( t , err )
require . NotNil ( t , updatedProfile )
2025-04-29 18:35:37 +00:00
assert . Contains ( t , updatedProfile . Detail , "FLEET_VAR_" + fleet . FleetVarNDESSCEPChallenge )
2024-10-09 18:47:27 +00:00
assert . Contains ( t , updatedProfile . Detail , "update credentials" )
2025-05-13 21:22:27 +00:00
assert . NotNil ( t , updatedProfile . VariablesUpdatedAt )
2024-10-09 18:47:27 +00:00
assert . Empty ( t , targets )
// Password cache full
2025-09-04 16:39:41 +00:00
scepConfig . GetNDESSCEPChallengeFunc = func ( ctx context . Context , proxy fleet . NDESSCEPProxyCA ) ( string , error ) {
2024-10-09 18:47:27 +00:00
assert . Equal ( t , ndesPassword , proxy . Password )
return "" , eeservice . NewNDESPasswordCacheFullError ( "NDES error" )
}
updatedProfile = nil
populateTargets ( )
2025-09-04 16:39:41 +00:00
err = preprocessProfileContents ( ctx , appCfg , ds , scepConfig , digiCertService , logger , targets , profileContents , hostProfilesToInstallMap , userEnrollmentsToHostUUIDsMap , groupedCAs )
2024-10-09 18:47:27 +00:00
require . NoError ( t , err )
require . NotNil ( t , updatedProfile )
2025-04-29 18:35:37 +00:00
assert . Contains ( t , updatedProfile . Detail , "FLEET_VAR_" + fleet . FleetVarNDESSCEPChallenge )
2024-10-09 18:47:27 +00:00
assert . Contains ( t , updatedProfile . Detail , "cached passwords" )
2025-05-13 21:22:27 +00:00
assert . NotNil ( t , updatedProfile . VariablesUpdatedAt )
2024-10-09 18:47:27 +00:00
assert . Empty ( t , targets )
2024-11-11 20:57:28 +00:00
// Insufficient permissions
2025-09-04 16:39:41 +00:00
scepConfig . GetNDESSCEPChallengeFunc = func ( ctx context . Context , proxy fleet . NDESSCEPProxyCA ) ( string , error ) {
2024-11-11 20:57:28 +00:00
assert . Equal ( t , ndesPassword , proxy . Password )
return "" , eeservice . NewNDESInsufficientPermissionsError ( "NDES error" )
}
updatedProfile = nil
populateTargets ( )
2025-09-04 16:39:41 +00:00
err = preprocessProfileContents ( ctx , appCfg , ds , scepConfig , digiCertService , logger , targets , profileContents , hostProfilesToInstallMap , userEnrollmentsToHostUUIDsMap , groupedCAs )
2024-11-11 20:57:28 +00:00
require . NoError ( t , err )
require . NotNil ( t , updatedProfile )
2025-04-29 18:35:37 +00:00
assert . Contains ( t , updatedProfile . Detail , "FLEET_VAR_" + fleet . FleetVarNDESSCEPChallenge )
2024-11-11 20:57:28 +00:00
assert . Contains ( t , updatedProfile . Detail , "does not have sufficient permissions" )
2025-05-13 21:22:27 +00:00
assert . NotNil ( t , updatedProfile . VariablesUpdatedAt )
2024-11-11 20:57:28 +00:00
assert . Empty ( t , targets )
2024-10-09 18:47:27 +00:00
// Other NDES challenge error
2025-09-04 16:39:41 +00:00
scepConfig . GetNDESSCEPChallengeFunc = func ( ctx context . Context , proxy fleet . NDESSCEPProxyCA ) ( string , error ) {
2024-10-09 18:47:27 +00:00
assert . Equal ( t , ndesPassword , proxy . Password )
return "" , errors . New ( "NDES error" )
}
updatedProfile = nil
populateTargets ( )
2025-09-04 16:39:41 +00:00
err = preprocessProfileContents ( ctx , appCfg , ds , scepConfig , digiCertService , logger , targets , profileContents , hostProfilesToInstallMap , userEnrollmentsToHostUUIDsMap , groupedCAs )
2024-10-09 18:47:27 +00:00
require . NoError ( t , err )
require . NotNil ( t , updatedProfile )
2025-04-29 18:35:37 +00:00
assert . Contains ( t , updatedProfile . Detail , "FLEET_VAR_" + fleet . FleetVarNDESSCEPChallenge )
2024-10-09 18:47:27 +00:00
assert . NotContains ( t , updatedProfile . Detail , "cached passwords" )
assert . NotContains ( t , updatedProfile . Detail , "update credentials" )
2025-05-13 21:22:27 +00:00
assert . NotNil ( t , updatedProfile . VariablesUpdatedAt )
2024-10-09 18:47:27 +00:00
assert . Empty ( t , targets )
// NDES challenge
challenge := "ndes-challenge"
2025-09-04 16:39:41 +00:00
scepConfig . GetNDESSCEPChallengeFunc = func ( ctx context . Context , proxy fleet . NDESSCEPProxyCA ) ( string , error ) {
2024-10-09 18:47:27 +00:00
assert . Equal ( t , ndesPassword , proxy . Password )
return challenge , nil
}
updatedProfile = nil
2024-11-04 21:44:52 +00:00
ds . BulkUpsertMDMAppleHostProfilesFunc = func ( ctx context . Context , payload [ ] * fleet . MDMAppleBulkUpsertHostProfilePayload ) error {
for _ , p := range payload {
assert . NotEqual ( t , cmdUUID , p . CommandUUID )
}
return nil
}
2024-10-09 18:47:27 +00:00
populateTargets ( )
2025-04-30 19:31:45 +00:00
ds . BulkUpsertMDMManagedCertificatesFunc = func ( ctx context . Context , payload [ ] * fleet . MDMManagedCertificate ) error {
2024-10-11 14:20:19 +00:00
require . Len ( t , payload , 1 )
assert . NotNil ( t , payload [ 0 ] . ChallengeRetrievedAt )
return nil
}
2025-09-04 16:39:41 +00:00
err = preprocessProfileContents ( ctx , appCfg , ds , scepConfig , digiCertService , logger , targets , profileContents , hostProfilesToInstallMap , userEnrollmentsToHostUUIDsMap , groupedCAs )
2024-10-09 18:47:27 +00:00
require . NoError ( t , err )
assert . Nil ( t , updatedProfile )
require . NotEmpty ( t , targets )
assert . Len ( t , targets , 1 )
for profUUID , target := range targets {
assert . NotEqual ( t , profUUID , "p1" ) // new temporary UUID generated for specific host
2024-10-14 20:11:34 +00:00
assert . NotEqual ( t , cmdUUID , target . cmdUUID )
2025-06-16 20:46:38 +00:00
assert . Equal ( t , [ ] string { hostUUID } , target . enrollmentIDs )
2024-10-09 18:47:27 +00:00
assert . Equal ( t , challenge , string ( profileContents [ profUUID ] ) )
}
// NDES SCEP proxy URL
profileContents = map [ string ] mobileconfig . Mobileconfig {
2025-04-29 18:35:37 +00:00
"p1" : [ ] byte ( "$FLEET_VAR_" + fleet . FleetVarNDESSCEPProxyURL ) ,
2024-10-09 18:47:27 +00:00
}
2025-03-19 13:27:55 +00:00
expectedURL := "https://test.example.com" + apple_mdm . SCEPProxyPath + url . QueryEscape ( fmt . Sprintf ( "%s,%s,NDES" , hostUUID , "p1" ) )
2024-10-09 18:47:27 +00:00
updatedProfile = nil
populateTargets ( )
2025-04-30 19:31:45 +00:00
ds . BulkUpsertMDMManagedCertificatesFunc = func ( ctx context . Context , payload [ ] * fleet . MDMManagedCertificate ) error {
2024-10-11 14:20:19 +00:00
assert . Empty ( t , payload )
return nil
}
2025-09-04 16:39:41 +00:00
err = preprocessProfileContents ( ctx , appCfg , ds , scepConfig , digiCertService , logger , targets , profileContents , hostProfilesToInstallMap , userEnrollmentsToHostUUIDsMap , groupedCAs )
2024-10-09 18:47:27 +00:00
require . NoError ( t , err )
assert . Nil ( t , updatedProfile )
require . NotEmpty ( t , targets )
assert . Len ( t , targets , 1 )
for profUUID , target := range targets {
assert . NotEqual ( t , profUUID , "p1" ) // new temporary UUID generated for specific host
2024-10-14 20:11:34 +00:00
assert . NotEqual ( t , cmdUUID , target . cmdUUID )
2025-06-16 20:46:38 +00:00
assert . Equal ( t , [ ] string { hostUUID } , target . enrollmentIDs )
2024-10-09 18:47:27 +00:00
assert . Equal ( t , expectedURL , string ( profileContents [ profUUID ] ) )
}
// No IdP email found
ds . GetHostEmailsFunc = func ( ctx context . Context , hostUUID string , source string ) ( [ ] string , error ) {
return nil , nil
}
profileContents = map [ string ] mobileconfig . Mobileconfig {
2025-04-29 18:35:37 +00:00
"p1" : [ ] byte ( "$FLEET_VAR_" + fleet . FleetVarHostEndUserEmailIDP ) ,
2024-10-09 18:47:27 +00:00
}
updatedProfile = nil
populateTargets ( )
2025-09-04 16:39:41 +00:00
err = preprocessProfileContents ( ctx , appCfg , ds , scepConfig , digiCertService , logger , targets , profileContents , hostProfilesToInstallMap , userEnrollmentsToHostUUIDsMap , groupedCAs )
2024-10-09 18:47:27 +00:00
require . NoError ( t , err )
require . NotNil ( t , updatedProfile )
2025-04-29 18:35:37 +00:00
assert . Contains ( t , updatedProfile . Detail , "FLEET_VAR_" + fleet . FleetVarHostEndUserEmailIDP )
2024-10-09 18:47:27 +00:00
assert . Contains ( t , updatedProfile . Detail , "no IdP email" )
assert . Empty ( t , targets )
// IdP email found
email := "user@example.com"
ds . GetHostEmailsFunc = func ( ctx context . Context , hostUUID string , source string ) ( [ ] string , error ) {
return [ ] string { email } , nil
}
updatedProfile = nil
populateTargets ( )
2025-09-04 16:39:41 +00:00
err = preprocessProfileContents ( ctx , appCfg , ds , scepConfig , digiCertService , logger , targets , profileContents , hostProfilesToInstallMap , userEnrollmentsToHostUUIDsMap , groupedCAs )
2024-10-09 18:47:27 +00:00
require . NoError ( t , err )
assert . Nil ( t , updatedProfile )
require . NotEmpty ( t , targets )
assert . Len ( t , targets , 1 )
for profUUID , target := range targets {
assert . NotEqual ( t , profUUID , "p1" ) // new temporary UUID generated for specific host
2024-10-14 20:11:34 +00:00
assert . NotEqual ( t , cmdUUID , target . cmdUUID )
2025-06-16 20:46:38 +00:00
assert . Equal ( t , [ ] string { hostUUID } , target . enrollmentIDs )
2024-10-09 18:47:27 +00:00
assert . Equal ( t , email , string ( profileContents [ profUUID ] ) )
}
2025-03-11 18:44:08 +00:00
// Hardware serial
ds . ListHostsLiteByUUIDsFunc = func ( ctx context . Context , _ fleet . TeamFilter , uuids [ ] string ) ( [ ] * fleet . Host , error ) {
assert . Equal ( t , [ ] string { hostUUID } , uuids )
return [ ] * fleet . Host {
{ HardwareSerial : "serial1" } ,
} , nil
}
profileContents = map [ string ] mobileconfig . Mobileconfig {
2025-04-29 18:35:37 +00:00
"p1" : [ ] byte ( "$FLEET_VAR_" + fleet . FleetVarHostHardwareSerial ) ,
2025-03-11 18:44:08 +00:00
}
updatedProfile = nil
populateTargets ( )
2025-09-04 16:39:41 +00:00
err = preprocessProfileContents ( ctx , appCfg , ds , scepConfig , digiCertService , logger , targets , profileContents , hostProfilesToInstallMap , userEnrollmentsToHostUUIDsMap , groupedCAs )
2025-03-11 18:44:08 +00:00
require . NoError ( t , err )
assert . Nil ( t , updatedProfile )
require . NotEmpty ( t , targets )
assert . Len ( t , targets , 1 )
for profUUID , target := range targets {
assert . NotEqual ( t , profUUID , "p1" ) // new temporary UUID generated for specific host
assert . NotEqual ( t , cmdUUID , target . cmdUUID )
2025-06-16 20:46:38 +00:00
assert . Equal ( t , [ ] string { hostUUID } , target . enrollmentIDs )
2025-03-11 18:44:08 +00:00
assert . Equal ( t , "serial1" , string ( profileContents [ profUUID ] ) )
}
// Hardware serial fail
ds . ListHostsLiteByUUIDsFunc = func ( ctx context . Context , _ fleet . TeamFilter , uuids [ ] string ) ( [ ] * fleet . Host , error ) {
assert . Equal ( t , [ ] string { hostUUID } , uuids )
return nil , nil
}
updatedProfile = nil
populateTargets ( )
2025-09-04 16:39:41 +00:00
err = preprocessProfileContents ( ctx , appCfg , ds , scepConfig , digiCertService , logger , targets , profileContents , hostProfilesToInstallMap , userEnrollmentsToHostUUIDsMap , groupedCAs )
2025-03-11 18:44:08 +00:00
require . NoError ( t , err )
require . NotNil ( t , updatedProfile )
assert . Contains ( t , updatedProfile . Detail , "Unexpected number of hosts (0) for UUID" )
assert . Empty ( t , targets )
2024-10-09 18:47:27 +00:00
// multiple profiles, multiple hosts
populateTargets = func ( ) {
targets = map [ string ] * cmdTarget {
2025-06-16 20:46:38 +00:00
"p1" : { cmdUUID : cmdUUID , profIdent : "com.add.profile" , enrollmentIDs : [ ] string { hostUUID , "host-2" } } , // fails
"p2" : { cmdUUID : cmdUUID , profIdent : "com.add.profile2" , enrollmentIDs : [ ] string { hostUUID , "host-3" } } , // works
"p3" : { cmdUUID : cmdUUID , profIdent : "com.add.profile3" , enrollmentIDs : [ ] string { hostUUID , "host-4" } } , // no variables
2024-10-09 18:47:27 +00:00
}
}
populateTargets ( )
2025-09-04 16:39:41 +00:00
groupedCAs . NDESSCEP = nil
2024-10-09 18:47:27 +00:00
profileContents = map [ string ] mobileconfig . Mobileconfig {
2025-04-29 18:35:37 +00:00
"p1" : [ ] byte ( "$FLEET_VAR_" + fleet . FleetVarNDESSCEPProxyURL ) ,
"p2" : [ ] byte ( "$FLEET_VAR_" + fleet . FleetVarHostEndUserEmailIDP ) ,
2024-10-09 18:47:27 +00:00
"p3" : [ ] byte ( "no variables" ) ,
}
2024-10-14 20:11:34 +00:00
addProfileToInstall := func ( hostUUID , profileUUID , profileIdentifier string ) {
2024-11-05 18:12:22 +00:00
hostProfilesToInstallMap [ hostProfileUUID {
HostUUID : hostUUID ,
ProfileUUID : profileUUID ,
} ] = & fleet . MDMAppleBulkUpsertHostProfilePayload {
2024-10-14 20:11:34 +00:00
ProfileUUID : profileUUID ,
ProfileIdentifier : profileIdentifier ,
HostUUID : hostUUID ,
OperationType : fleet . MDMOperationTypeInstall ,
Status : & fleet . MDMDeliveryPending ,
CommandUUID : cmdUUID ,
2025-06-16 20:46:38 +00:00
Scope : fleet . PayloadScopeSystem ,
2024-10-14 20:11:34 +00:00
}
}
addProfileToInstall ( hostUUID , "p1" , "com.add.profile" )
addProfileToInstall ( "host-2" , "p1" , "com.add.profile" )
addProfileToInstall ( hostUUID , "p2" , "com.add.profile2" )
addProfileToInstall ( "host-3" , "p2" , "com.add.profile2" )
addProfileToInstall ( hostUUID , "p3" , "com.add.profile3" )
addProfileToInstall ( "host-4" , "p3" , "com.add.profile3" )
2024-10-09 18:47:27 +00:00
expectedHostsToFail := [ ] string { hostUUID , "host-2" , "host-3" }
ds . UpdateOrDeleteHostMDMAppleProfileFunc = func ( ctx context . Context , profile * fleet . HostMDMAppleProfile ) error {
updatedProfile = profile
require . NotNil ( t , updatedProfile . Status )
assert . Equal ( t , fleet . MDMDeliveryFailed , * updatedProfile . Status )
2024-10-14 20:11:34 +00:00
assert . NotEqual ( t , cmdUUID , updatedProfile . CommandUUID )
2024-10-09 18:47:27 +00:00
assert . Contains ( t , expectedHostsToFail , updatedProfile . HostUUID )
assert . Equal ( t , fleet . MDMOperationTypeInstall , updatedProfile . OperationType )
return nil
}
ds . BulkUpsertMDMAppleHostProfilesFunc = func ( ctx context . Context , payload [ ] * fleet . MDMAppleBulkUpsertHostProfilePayload ) error {
for _ , p := range payload {
require . NotNil ( t , p . Status )
2024-10-14 20:11:34 +00:00
if fleet . MDMDeliveryFailed == * p . Status {
assert . Equal ( t , cmdUUID , p . CommandUUID )
} else {
assert . NotEqual ( t , cmdUUID , p . CommandUUID )
}
2024-10-09 18:47:27 +00:00
assert . Equal ( t , fleet . MDMOperationTypeInstall , p . OperationType )
}
return nil
}
2025-09-04 16:39:41 +00:00
err = preprocessProfileContents ( ctx , appCfg , ds , scepConfig , digiCertService , logger , targets , profileContents , hostProfilesToInstallMap , userEnrollmentsToHostUUIDsMap , groupedCAs )
2024-10-09 18:47:27 +00:00
require . NoError ( t , err )
require . NotEmpty ( t , targets )
assert . Len ( t , targets , 3 )
assert . Nil ( t , targets [ "p1" ] ) // error
assert . Nil ( t , targets [ "p2" ] ) // renamed
assert . NotNil ( t , targets [ "p3" ] ) // normal, no variables
for profUUID , target := range targets {
2025-06-16 20:46:38 +00:00
assert . Contains ( t , [ ] [ ] string { { hostUUID } , { "host-3" } , { hostUUID , "host-4" } } , target . enrollmentIDs )
2024-10-14 20:11:34 +00:00
if profUUID == "p3" {
assert . Equal ( t , cmdUUID , target . cmdUUID )
} else {
assert . NotEqual ( t , cmdUUID , target . cmdUUID )
}
2024-10-09 18:47:27 +00:00
assert . Contains ( t , [ ] string { email , "no variables" } , string ( profileContents [ profUUID ] ) )
}
2023-02-17 19:26:51 +00:00
}
2023-03-01 13:43:15 +00:00
func TestAppleMDMFileVaultEscrowFunctions ( t * testing . T ) {
svc := Service { }
2023-03-08 13:31:53 +00:00
err := svc . MDMAppleEnableFileVaultAndEscrow ( context . Background ( ) , ptr . Uint ( 1 ) )
2023-03-01 13:43:15 +00:00
require . ErrorIs ( t , fleet . ErrMissingLicense , err )
2023-03-08 13:31:53 +00:00
err = svc . MDMAppleDisableFileVaultAndEscrow ( context . Background ( ) , ptr . Uint ( 1 ) )
2023-03-01 13:43:15 +00:00
require . ErrorIs ( t , fleet . ErrMissingLicense , err )
}
2023-03-03 18:59:21 +00:00
func TestGenerateEnrollmentProfileMobileConfig ( t * testing . T ) {
// SCEP challenge should be escaped for XML
2023-03-13 13:33:32 +00:00
b , err := apple_mdm . GenerateEnrollmentProfileMobileconfig ( "foo" , "https://example.com" , "foo&bar" , "topic" )
2023-03-03 18:59:21 +00:00
require . NoError ( t , err )
require . Contains ( t , string ( b ) , "foo&bar" )
}
2023-04-04 20:09:20 +00:00
func TestEnsureFleetdConfig ( t * testing . T ) {
testError := errors . New ( "test error" )
testURL := "https://example.com"
testTeamName := "test-team"
logger := kitlog . NewNopLogger ( )
2024-04-18 21:01:37 +00:00
mdmConfig := config . MDMConfig {
AppleSCEPCert : "./testdata/server.pem" ,
AppleSCEPKey : "./testdata/server.key" ,
}
signingCert , _ , _ , err := mdmConfig . AppleSCEP ( )
require . NoError ( t , err )
2023-04-04 20:09:20 +00:00
t . Run ( "no enroll secret found" , func ( t * testing . T ) {
ctx := context . Background ( )
ds := new ( mock . Store )
ds . AppConfigFunc = func ( ctx context . Context ) ( * fleet . AppConfig , error ) {
return & fleet . AppConfig { } , nil
}
ds . AggregateEnrollSecretPerTeamFunc = func ( ctx context . Context ) ( [ ] * fleet . EnrollSecret , error ) {
return [ ] * fleet . EnrollSecret { } , nil
}
ds . BulkUpsertMDMAppleConfigProfilesFunc = func ( ctx context . Context , ps [ ] * fleet . MDMAppleConfigProfile ) error {
require . Empty ( t , ps )
return nil
}
2024-05-30 21:18:42 +00:00
err := ensureFleetProfiles ( ctx , ds , logger , signingCert . Certificate [ 0 ] )
2023-04-04 20:09:20 +00:00
require . NoError ( t , err )
require . True ( t , ds . BulkUpsertMDMAppleConfigProfilesFuncInvoked )
require . True ( t , ds . AggregateEnrollSecretPerTeamFuncInvoked )
require . True ( t , ds . AppConfigFuncInvoked )
} )
t . Run ( "all enroll secrets empty" , func ( t * testing . T ) {
ctx := context . Background ( )
ds := new ( mock . Store )
secrets := [ ] * fleet . EnrollSecret {
{ Secret : "" , TeamID : nil } ,
{ Secret : "" , TeamID : ptr . Uint ( 1 ) } ,
{ Secret : "" , TeamID : ptr . Uint ( 2 ) } ,
}
ds . AggregateEnrollSecretPerTeamFunc = func ( ctx context . Context ) ( [ ] * fleet . EnrollSecret , error ) {
return secrets , nil
}
ds . AppConfigFunc = func ( ctx context . Context ) ( * fleet . AppConfig , error ) {
return & fleet . AppConfig { } , nil
}
ds . BulkUpsertMDMAppleConfigProfilesFunc = func ( ctx context . Context , ps [ ] * fleet . MDMAppleConfigProfile ) error {
require . Empty ( t , ps )
return nil
}
2024-05-30 21:18:42 +00:00
err := ensureFleetProfiles ( ctx , ds , logger , signingCert . Certificate [ 0 ] )
2023-04-04 20:09:20 +00:00
require . NoError ( t , err )
require . True ( t , ds . BulkUpsertMDMAppleConfigProfilesFuncInvoked )
require . True ( t , ds . AggregateEnrollSecretPerTeamFuncInvoked )
require . True ( t , ds . AppConfigFuncInvoked )
} )
t . Run ( "uses the enroll secret of each team if available" , func ( t * testing . T ) {
ctx := context . Background ( )
ds := new ( mock . Store )
secrets := [ ] * fleet . EnrollSecret {
{ Secret : "global" , TeamID : nil } ,
{ Secret : "team-1" , TeamID : ptr . Uint ( 1 ) } ,
{ Secret : "team-2" , TeamID : ptr . Uint ( 2 ) } ,
}
ds . AppConfigFunc = func ( ctx context . Context ) ( * fleet . AppConfig , error ) {
appCfg := & fleet . AppConfig { }
appCfg . ServerSettings . ServerURL = testURL
2024-08-29 22:51:46 +00:00
appCfg . MDM . DeprecatedAppleBMDefaultTeam = testTeamName
2023-04-04 20:09:20 +00:00
return appCfg , nil
}
ds . AggregateEnrollSecretPerTeamFunc = func ( ctx context . Context ) ( [ ] * fleet . EnrollSecret , error ) {
return secrets , nil
}
ds . BulkUpsertMDMAppleConfigProfilesFunc = func ( ctx context . Context , ps [ ] * fleet . MDMAppleConfigProfile ) error {
2024-04-18 21:01:37 +00:00
// fleetd + CA profiles
require . Len ( t , ps , len ( secrets ) * 2 )
var fleetd , fleetCA [ ] * fleet . MDMAppleConfigProfile
for _ , p := range ps {
switch p . Identifier {
case mobileconfig . FleetdConfigPayloadIdentifier :
fleetd = append ( fleetd , p )
case mobileconfig . FleetCARootConfigPayloadIdentifier :
fleetCA = append ( fleetCA , p )
}
}
require . Len ( t , fleetd , 3 )
require . Len ( t , fleetCA , 3 )
for i , p := range fleetd {
2023-04-04 20:09:20 +00:00
require . Contains ( t , string ( p . Mobileconfig ) , testURL )
require . Contains ( t , string ( p . Mobileconfig ) , secrets [ i ] . Secret )
}
return nil
}
2024-05-30 21:18:42 +00:00
err := ensureFleetProfiles ( ctx , ds , logger , signingCert . Certificate [ 0 ] )
2023-04-04 20:09:20 +00:00
require . NoError ( t , err )
require . True ( t , ds . AggregateEnrollSecretPerTeamFuncInvoked )
require . True ( t , ds . BulkUpsertMDMAppleConfigProfilesFuncInvoked )
} )
t . Run ( "if the team doesn't have an enroll secret, fallback to no team" , func ( t * testing . T ) {
ctx := context . Background ( )
ds := new ( mock . Store )
secrets := [ ] * fleet . EnrollSecret {
{ Secret : "global" , TeamID : nil } ,
{ Secret : "" , TeamID : ptr . Uint ( 1 ) } ,
}
ds . AppConfigFunc = func ( ctx context . Context ) ( * fleet . AppConfig , error ) {
appCfg := & fleet . AppConfig { }
appCfg . ServerSettings . ServerURL = testURL
2024-08-29 22:51:46 +00:00
appCfg . MDM . DeprecatedAppleBMDefaultTeam = testTeamName
2023-04-04 20:09:20 +00:00
return appCfg , nil
}
ds . AggregateEnrollSecretPerTeamFunc = func ( ctx context . Context ) ( [ ] * fleet . EnrollSecret , error ) {
return secrets , nil
}
ds . BulkUpsertMDMAppleConfigProfilesFunc = func ( ctx context . Context , ps [ ] * fleet . MDMAppleConfigProfile ) error {
2024-04-18 21:01:37 +00:00
// fleetd + CA profiles
require . Len ( t , ps , len ( secrets ) * 2 )
var fleetd , fleetCA [ ] * fleet . MDMAppleConfigProfile
for _ , p := range ps {
switch p . Identifier {
case mobileconfig . FleetdConfigPayloadIdentifier :
fleetd = append ( fleetd , p )
case mobileconfig . FleetCARootConfigPayloadIdentifier :
fleetCA = append ( fleetCA , p )
}
}
require . Len ( t , fleetd , 2 )
require . Len ( t , fleetCA , 2 )
for i , p := range fleetd {
2023-04-04 20:09:20 +00:00
require . Contains ( t , string ( p . Mobileconfig ) , testURL )
require . Contains ( t , string ( p . Mobileconfig ) , secrets [ i ] . Secret )
}
return nil
}
2024-05-30 21:18:42 +00:00
err := ensureFleetProfiles ( ctx , ds , logger , signingCert . Certificate [ 0 ] )
2023-04-04 20:09:20 +00:00
require . NoError ( t , err )
require . True ( t , ds . AppConfigFuncInvoked )
require . True ( t , ds . AggregateEnrollSecretPerTeamFuncInvoked )
require . True ( t , ds . BulkUpsertMDMAppleConfigProfilesFuncInvoked )
} )
t . Run ( "returns an error if there's a problem retrieving AppConfig" , func ( t * testing . T ) {
ctx := context . Background ( )
ds := new ( mock . Store )
ds . AppConfigFunc = func ( ctx context . Context ) ( * fleet . AppConfig , error ) {
return nil , testError
}
2024-05-30 21:18:42 +00:00
err := ensureFleetProfiles ( ctx , ds , logger , signingCert . Certificate [ 0 ] )
2023-04-04 20:09:20 +00:00
require . ErrorIs ( t , err , testError )
} )
t . Run ( "returns an error if there's a problem retrieving secrets" , func ( t * testing . T ) {
ctx := context . Background ( )
ds := new ( mock . Store )
ds . AppConfigFunc = func ( ctx context . Context ) ( * fleet . AppConfig , error ) {
return & fleet . AppConfig { } , nil
}
ds . AggregateEnrollSecretPerTeamFunc = func ( ctx context . Context ) ( [ ] * fleet . EnrollSecret , error ) {
return nil , testError
}
2024-05-30 21:18:42 +00:00
err := ensureFleetProfiles ( ctx , ds , logger , signingCert . Certificate [ 0 ] )
2023-04-04 20:09:20 +00:00
require . ErrorIs ( t , err , testError )
} )
t . Run ( "returns an error if there's a problem upserting profiles" , func ( t * testing . T ) {
ctx := context . Background ( )
ds := new ( mock . Store )
secrets := [ ] * fleet . EnrollSecret {
{ Secret : "global" , TeamID : nil } ,
{ Secret : "team-1" , TeamID : ptr . Uint ( 1 ) } ,
}
ds . AggregateEnrollSecretPerTeamFunc = func ( ctx context . Context ) ( [ ] * fleet . EnrollSecret , error ) {
return secrets , nil
}
ds . AppConfigFunc = func ( ctx context . Context ) ( * fleet . AppConfig , error ) {
return & fleet . AppConfig { } , nil
}
ds . BulkUpsertMDMAppleConfigProfilesFunc = func ( ctx context . Context , p [ ] * fleet . MDMAppleConfigProfile ) error {
return testError
}
2024-05-30 21:18:42 +00:00
err := ensureFleetProfiles ( ctx , ds , logger , signingCert . Certificate [ 0 ] )
2023-04-04 20:09:20 +00:00
require . ErrorIs ( t , err , testError )
require . True ( t , ds . AppConfigFuncInvoked )
require . True ( t , ds . AggregateEnrollSecretPerTeamFuncInvoked )
require . True ( t , ds . BulkUpsertMDMAppleConfigProfilesFuncInvoked )
} )
}
2023-04-25 13:36:01 +00:00
func TestMDMAppleSetupAssistant ( t * testing . T ) {
2023-05-10 20:22:08 +00:00
svc , ctx , ds := setupAppleMDMService ( t , & fleet . LicenseInfo { Tier : fleet . TierPremium } )
2023-04-25 13:36:01 +00:00
2024-05-24 16:25:27 +00:00
ds . NewActivityFunc = func (
ctx context . Context , user * fleet . User , activity fleet . ActivityDetails , details [ ] byte , createdAt time . Time ,
) error {
2023-04-25 13:36:01 +00:00
return nil
}
2023-05-15 18:06:09 +00:00
ds . NewJobFunc = func ( ctx context . Context , j * fleet . Job ) ( * fleet . Job , error ) {
return j , nil
}
2023-04-25 13:36:01 +00:00
ds . AppConfigFunc = func ( ctx context . Context ) ( * fleet . AppConfig , error ) {
return & fleet . AppConfig { } , nil
}
ds . GetMDMAppleSetupAssistantFunc = func ( ctx context . Context , teamID * uint ) ( * fleet . MDMAppleSetupAssistant , error ) {
return & fleet . MDMAppleSetupAssistant { } , nil
}
ds . SetOrUpdateMDMAppleSetupAssistantFunc = func ( ctx context . Context , asst * fleet . MDMAppleSetupAssistant ) ( * fleet . MDMAppleSetupAssistant , error ) {
return asst , nil
}
ds . DeleteMDMAppleSetupAssistantFunc = func ( ctx context . Context , teamID * uint ) error {
return nil
}
2023-04-26 14:37:03 +00:00
ds . TeamFunc = func ( ctx context . Context , id uint ) ( * fleet . Team , error ) {
return & fleet . Team { ID : id } , nil
}
2024-09-10 22:44:58 +00:00
ds . GetMDMAppleEnrollmentProfileByTypeFunc = func ( ctx context . Context , typ fleet . MDMAppleEnrollmentType ) ( * fleet . MDMAppleEnrollmentProfile , error ) {
return & fleet . MDMAppleEnrollmentProfile { Token : "foobar" } , nil
}
ds . CountABMTokensWithTermsExpiredFunc = func ( ctx context . Context ) ( int , error ) {
return 0 , nil
}
2023-04-25 13:36:01 +00:00
testCases := [ ] struct {
name string
user * fleet . User
teamID * uint
shouldFailRead bool
shouldFailWrite bool
} {
{ "no role no team" , test . UserNoRoles , nil , true , true } ,
{ "no role team" , test . UserNoRoles , ptr . Uint ( 1 ) , true , true } ,
{ "global admin no team" , test . UserAdmin , nil , false , false } ,
{ "global admin team" , test . UserAdmin , ptr . Uint ( 1 ) , false , false } ,
{ "global maintainer no team" , test . UserMaintainer , nil , false , false } ,
{ "global maintainer team" , test . UserMaintainer , ptr . Uint ( 1 ) , false , false } ,
{ "global observer no team" , test . UserObserver , nil , true , true } ,
{ "global observer team" , test . UserObserver , ptr . Uint ( 1 ) , true , true } ,
{ "global observer+ no team" , test . UserObserverPlus , nil , true , true } ,
{ "global observer+ team" , test . UserObserverPlus , ptr . Uint ( 1 ) , true , true } ,
{ "global gitops no team" , test . UserGitOps , nil , true , false } ,
{ "global gitops team" , test . UserGitOps , ptr . Uint ( 1 ) , true , false } ,
{ "team admin no team" , test . UserTeamAdminTeam1 , nil , true , true } ,
{ "team admin team" , test . UserTeamAdminTeam1 , ptr . Uint ( 1 ) , false , false } ,
{ "team admin other team" , test . UserTeamAdminTeam2 , ptr . Uint ( 1 ) , true , true } ,
{ "team maintainer no team" , test . UserTeamMaintainerTeam1 , nil , true , true } ,
{ "team maintainer team" , test . UserTeamMaintainerTeam1 , ptr . Uint ( 1 ) , false , false } ,
{ "team maintainer other team" , test . UserTeamMaintainerTeam2 , ptr . Uint ( 1 ) , true , true } ,
{ "team observer no team" , test . UserTeamObserverTeam1 , nil , true , true } ,
{ "team observer team" , test . UserTeamObserverTeam1 , ptr . Uint ( 1 ) , true , true } ,
{ "team observer other team" , test . UserTeamObserverTeam2 , ptr . Uint ( 1 ) , true , true } ,
{ "team observer+ no team" , test . UserTeamObserverPlusTeam1 , nil , true , true } ,
{ "team observer+ team" , test . UserTeamObserverPlusTeam1 , ptr . Uint ( 1 ) , true , true } ,
{ "team observer+ other team" , test . UserTeamObserverPlusTeam2 , ptr . Uint ( 1 ) , true , true } ,
{ "team gitops no team" , test . UserTeamGitOpsTeam1 , nil , true , true } ,
{ "team gitops team" , test . UserTeamGitOpsTeam1 , ptr . Uint ( 1 ) , true , false } ,
{ "team gitops other team" , test . UserTeamGitOpsTeam2 , ptr . Uint ( 1 ) , true , true } ,
}
for _ , tt := range testCases {
t . Run ( tt . name , func ( t * testing . T ) {
// prepare the context with the user and license
ctx := viewer . NewContext ( ctx , viewer . Viewer { User : tt . user } )
_ , err := svc . GetMDMAppleSetupAssistant ( ctx , tt . teamID )
checkAuthErr ( t , tt . shouldFailRead , err )
_ , err = svc . SetOrUpdateMDMAppleSetupAssistant ( ctx , & fleet . MDMAppleSetupAssistant {
Name : "test" ,
Profile : json . RawMessage ( "{}" ) ,
TeamID : tt . teamID ,
} )
checkAuthErr ( t , tt . shouldFailWrite , err )
err = svc . DeleteMDMAppleSetupAssistant ( ctx , tt . teamID )
checkAuthErr ( t , tt . shouldFailWrite , err )
} )
}
}
2023-06-05 19:08:21 +00:00
func TestMDMApplePreassignEndpoints ( t * testing . T ) {
svc , ctx , _ := setupAppleMDMService ( t , & fleet . LicenseInfo { Tier : fleet . TierPremium } )
checkAuthErr := func ( t * testing . T , err error , shouldFailWithAuth bool ) {
t . Helper ( )
if shouldFailWithAuth {
require . Error ( t , err )
require . Contains ( t , err . Error ( ) , authz . ForbiddenErrorMessage )
} else {
require . NoError ( t , err )
}
}
testCases := [ ] struct {
name string
user * fleet . User
shouldFail bool
} {
{ "no role" , test . UserNoRoles , true } ,
{ "global admin" , test . UserAdmin , false } ,
{ "global maintainer" , test . UserMaintainer , true } ,
{ "global observer" , test . UserObserver , true } ,
{ "global observer+" , test . UserObserverPlus , true } ,
{ "global gitops" , test . UserGitOps , false } ,
{ "team admin" , test . UserTeamAdminTeam1 , true } ,
{ "team maintainer" , test . UserTeamMaintainerTeam1 , true } ,
{ "team observer" , test . UserTeamObserverTeam1 , true } ,
{ "team observer+" , test . UserTeamObserverPlusTeam1 , true } ,
{ "team gitops" , test . UserTeamGitOpsTeam1 , true } ,
}
for _ , tt := range testCases {
t . Run ( tt . name , func ( t * testing . T ) {
// prepare the context with the user
ctx := viewer . NewContext ( ctx , viewer . Viewer { User : tt . user } )
err := svc . MDMApplePreassignProfile ( ctx , fleet . MDMApplePreassignProfilePayload {
ExternalHostIdentifier : "test" ,
HostUUID : "test" ,
Profile : mobileconfigForTest ( "N1" , "I1" ) ,
} )
checkAuthErr ( t , err , tt . shouldFail )
err = svc . MDMAppleMatchPreassignment ( ctx , "test" )
checkAuthErr ( t , err , tt . shouldFail )
} )
}
}
2025-06-16 20:46:38 +00:00
// Helper for creating scoped mobileconfigs. scope is optional and if set to nil is not included in
2025-07-02 14:54:54 +00:00
// the mobileconfig so that default behavior is used. Note that because Fleet enforces that all
// profiles sharing a given identifier have the same scope, it's a good idea to use a unique
// identifier in your test or perhaps one with the scope in its name
2025-06-16 20:46:38 +00:00
func scopedMobileconfigForTest ( name , identifier string , scope * fleet . PayloadScope , vars ... string ) [ ] byte {
2025-05-05 15:46:10 +00:00
var varsStr strings . Builder
for i , v := range vars {
if ! strings . HasPrefix ( v , "FLEET_VAR_" ) {
v = "FLEET_VAR_" + v
}
varsStr . WriteString ( fmt . Sprintf ( "<key>Var %d</key><string>$%s</string>" , i , v ) )
}
2025-06-16 20:46:38 +00:00
scopeEntry := ""
if scope != nil {
scopeEntry = fmt . Sprintf ( ` \n<key>PayloadScope</key>\n<string>%s</string> ` , string ( * scope ) )
}
2025-05-05 15:46:10 +00:00
2023-02-15 18:01:44 +00:00
return [ ] byte ( fmt . Sprintf ( ` < ? xml version = "1.0" encoding = "UTF-8" ? >
< ! DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd" >
< plist version = "1.0" >
< dict >
< key > PayloadContent < / key >
< array / >
< key > PayloadDisplayName < / key >
< string > % s < / string >
< key > PayloadIdentifier < / key >
< string > % s < / string >
< key > PayloadType < / key >
< string > Configuration < / string >
< key > PayloadUUID < / key >
2025-06-16 20:46:38 +00:00
< string > % s < / string > % s
2023-02-15 18:01:44 +00:00
< key > PayloadVersion < / key >
< integer > 1 < / integer >
2025-05-05 15:46:10 +00:00
% s
2023-02-15 18:01:44 +00:00
< / dict >
< / plist >
2025-06-16 20:46:38 +00:00
` , name , identifier , uuid . New ( ) . String ( ) , scopeEntry , varsStr . String ( ) ) )
}
func mobileconfigForTest ( name , identifier string , vars ... string ) [ ] byte {
return scopedMobileconfigForTest ( name , identifier , nil , vars ... )
2023-02-15 18:01:44 +00:00
}
2023-03-17 21:52:30 +00:00
2024-03-20 19:15:07 +00:00
func declBytesForTest ( identifier string , payloadContent string ) [ ] byte {
tmpl := ` {
"Type" : "com.apple.configuration.decl%s" ,
"Identifier" : "com.fleet.config%s" ,
"Payload" : {
"ServiceType" : "com.apple.service%s"
}
} `
declBytes := [ ] byte ( fmt . Sprintf ( tmpl , identifier , identifier , payloadContent ) )
return declBytes
}
2023-11-30 23:19:18 +00:00
func mobileconfigForTestWithContent ( outerName , outerIdentifier , innerIdentifier , innerType , innerName string ) [ ] byte {
if innerName == "" {
innerName = outerName + ".inner"
}
2023-03-17 21:52:30 +00:00
return [ ] byte ( fmt . Sprintf ( ` < ? xml version = "1.0" encoding = "UTF-8" ? >
< ! DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd" >
< plist version = "1.0" >
< dict >
< key > PayloadContent < / key >
< array >
< dict >
< key > PayloadDisplayName < / key >
< string > % s < / string >
< key > PayloadIdentifier < / key >
< string > % s < / string >
< key > PayloadType < / key >
< string > % s < / string >
< key > PayloadUUID < / key >
< string > 3548 D750 - 6357 - 4910 - 8 DEA - D80ADCE2C787 < / string >
< key > PayloadVersion < / key >
< integer > 1 < / integer >
< key > ShowRecoveryKey < / key >
< false / >
< / dict >
< / array >
< key > PayloadDisplayName < / key >
< string > % s < / string >
< key > PayloadIdentifier < / key >
< string > % s < / string >
< key > PayloadType < / key >
< string > Configuration < / string >
< key > PayloadUUID < / key >
< string > % s < / string >
< key > PayloadVersion < / key >
< integer > 1 < / integer >
< / dict >
< / plist >
2023-11-30 23:19:18 +00:00
` , innerName , innerIdentifier , innerType , outerName , outerIdentifier , uuid . New ( ) . String ( ) ) )
2023-03-17 21:52:30 +00:00
}
2024-02-22 19:23:12 +00:00
func generateCertWithAPNsTopic ( ) ( [ ] byte , [ ] byte , error ) {
// generate a new private key
priv , err := rsa . GenerateKey ( rand . Reader , 2048 )
if err != nil {
return nil , nil , err
}
// set up the OID for UID
oidUID := asn1 . ObjectIdentifier { 0 , 9 , 2342 , 19200300 , 100 , 1 , 1 }
// set up a certificate template with the required UID in the Subject
notBefore := time . Now ( )
notAfter := notBefore . Add ( 365 * 24 * time . Hour )
serialNumber , err := rand . Int ( rand . Reader , new ( big . Int ) . Lsh ( big . NewInt ( 1 ) , 128 ) )
if err != nil {
return nil , nil , err
}
template := x509 . Certificate {
SerialNumber : serialNumber ,
Subject : pkix . Name {
ExtraNames : [ ] pkix . AttributeTypeAndValue {
{
Type : oidUID ,
Value : "com.apple.mgmt.Example" ,
} ,
} ,
} ,
NotBefore : notBefore ,
NotAfter : notAfter ,
KeyUsage : x509 . KeyUsageKeyEncipherment | x509 . KeyUsageDigitalSignature ,
ExtKeyUsage : [ ] x509 . ExtKeyUsage { x509 . ExtKeyUsageServerAuth } ,
BasicConstraintsValid : true ,
}
// create a self-signed certificate
derBytes , err := x509 . CreateCertificate ( rand . Reader , & template , & template , & priv . PublicKey , priv )
if err != nil {
return nil , nil , err
}
// encode to PEM
certPEM := pem . EncodeToMemory ( & pem . Block { Type : "CERTIFICATE" , Bytes : derBytes } )
keyPEM := pem . EncodeToMemory ( & pem . Block { Type : "RSA PRIVATE KEY" , Bytes : x509 . MarshalPKCS1PrivateKey ( priv ) } )
return certPEM , keyPEM , nil
}
2024-05-30 21:18:42 +00:00
func setupTest ( t * testing . T ) ( context . Context , kitlog . Logger , * mock . Store , * config . FleetConfig , * mdmmock . MDMAppleStore , * apple_mdm . MDMAppleCommander ) {
2024-02-22 19:23:12 +00:00
ctx := context . Background ( )
logger := kitlog . NewNopLogger ( )
cfg := config . TestConfig ( )
ds := new ( mock . Store )
2024-05-30 21:18:42 +00:00
mdmStorage := & mdmmock . MDMAppleStore { }
2024-02-22 19:23:12 +00:00
pushFactory , _ := newMockAPNSPushProviderFactory ( )
pusher := nanomdm_pushsvc . New (
mdmStorage ,
mdmStorage ,
pushFactory ,
stdlogfmt . New ( ) ,
)
2024-05-30 21:18:42 +00:00
mdmConfig := config . MDMConfig {
2024-04-18 21:01:37 +00:00
AppleSCEPCert : "./testdata/server.pem" ,
AppleSCEPKey : "./testdata/server.key" ,
2024-05-30 21:18:42 +00:00
}
2025-02-18 23:49:02 +00:00
apnsCert , apnsKey , err := mysql . GenerateTestCertBytes ( mdmtesting . NewTestMDMAppleCertTemplate ( ) )
2024-05-30 21:18:42 +00:00
require . NoError ( t , err )
ds . AppConfigFunc = func ( ctx context . Context ) ( * fleet . AppConfig , error ) {
appCfg := & fleet . AppConfig { }
appCfg . MDM . EnabledAndConfigured = true
return appCfg , nil
}
_ , pemCert , pemKey , err := mdmConfig . AppleSCEP ( )
require . NoError ( t , err )
2024-10-09 18:47:27 +00:00
ds . GetAllMDMConfigAssetsByNameFunc = func ( ctx context . Context , assetNames [ ] fleet . MDMAssetName ,
2024-11-05 18:12:22 +00:00
_ sqlx . QueryerContext ,
) ( map [ fleet . MDMAssetName ] fleet . MDMConfigAsset , error ) {
2024-05-30 21:18:42 +00:00
return map [ fleet . MDMAssetName ] fleet . MDMConfigAsset {
fleet . MDMAssetCACert : { Value : pemCert } ,
fleet . MDMAssetCAKey : { Value : pemKey } ,
fleet . MDMAssetAPNSKey : { Value : apnsKey } ,
fleet . MDMAssetAPNSCert : { Value : apnsCert } ,
} , nil
}
2024-10-09 18:47:27 +00:00
mdmStorage . GetAllMDMConfigAssetsByNameFunc = func ( ctx context . Context , assetNames [ ] fleet . MDMAssetName ,
2024-11-05 18:12:22 +00:00
_ sqlx . QueryerContext ,
) ( map [ fleet . MDMAssetName ] fleet . MDMConfigAsset , error ) {
2024-05-30 21:18:42 +00:00
return map [ fleet . MDMAssetName ] fleet . MDMConfigAsset {
fleet . MDMAssetCACert : { Value : pemCert } ,
fleet . MDMAssetCAKey : { Value : pemKey } ,
fleet . MDMAssetAPNSKey : { Value : apnsKey } ,
fleet . MDMAssetAPNSCert : { Value : apnsCert } ,
} , nil
}
commander := apple_mdm . NewMDMAppleCommander ( mdmStorage , pusher )
2024-02-22 19:23:12 +00:00
return ctx , logger , ds , & cfg , mdmStorage , commander
}
func TestRenewSCEPCertificatesMDMConfigNotSet ( t * testing . T ) {
ctx , logger , ds , cfg , _ , commander := setupTest ( t )
2024-05-30 21:18:42 +00:00
ds . AppConfigFunc = func ( ctx context . Context ) ( * fleet . AppConfig , error ) {
appCfg := & fleet . AppConfig { }
appCfg . MDM . EnabledAndConfigured = false
return appCfg , nil
}
2024-02-22 19:23:12 +00:00
err := RenewSCEPCertificates ( ctx , logger , ds , cfg , commander )
require . NoError ( t , err )
}
func TestRenewSCEPCertificatesCommanderNil ( t * testing . T ) {
ctx , logger , ds , cfg , _ , _ := setupTest ( t )
err := RenewSCEPCertificates ( ctx , logger , ds , cfg , nil )
require . NoError ( t , err )
}
func TestRenewSCEPCertificatesBranches ( t * testing . T ) {
tests := [ ] struct {
name string
2024-05-30 21:18:42 +00:00
customExpectations func ( * testing . T , * mock . Store , * config . FleetConfig , * mdmmock . MDMAppleStore , * apple_mdm . MDMAppleCommander )
2024-02-22 19:23:12 +00:00
expectedError bool
} {
{
name : "No Certs to Renew" ,
2024-05-30 21:18:42 +00:00
customExpectations : func ( t * testing . T , ds * mock . Store , cfg * config . FleetConfig , appleStore * mdmmock . MDMAppleStore , commander * apple_mdm . MDMAppleCommander ) {
2024-02-22 19:23:12 +00:00
ds . GetHostCertAssociationsToExpireFunc = func ( ctx context . Context , expiryDays int , limit int ) ( [ ] fleet . SCEPIdentityAssociation , error ) {
return nil , nil
}
} ,
expectedError : false ,
} ,
{
name : "GetHostCertAssociationsToExpire Errors" ,
2024-05-30 21:18:42 +00:00
customExpectations : func ( t * testing . T , ds * mock . Store , cfg * config . FleetConfig , appleStore * mdmmock . MDMAppleStore , commander * apple_mdm . MDMAppleCommander ) {
2024-02-22 19:23:12 +00:00
ds . GetHostCertAssociationsToExpireFunc = func ( ctx context . Context , expiryDays int , limit int ) ( [ ] fleet . SCEPIdentityAssociation , error ) {
return nil , errors . New ( "database error" )
}
} ,
expectedError : true ,
} ,
{
name : "AppConfig Errors" ,
2024-05-30 21:18:42 +00:00
customExpectations : func ( t * testing . T , ds * mock . Store , cfg * config . FleetConfig , appleStore * mdmmock . MDMAppleStore , commander * apple_mdm . MDMAppleCommander ) {
2024-02-22 19:23:12 +00:00
ds . AppConfigFunc = func ( ctx context . Context ) ( * fleet . AppConfig , error ) {
return nil , errors . New ( "app config error" )
}
} ,
expectedError : true ,
} ,
{
name : "InstallProfile for hostsWithoutRefs" ,
2024-05-30 21:18:42 +00:00
customExpectations : func ( t * testing . T , ds * mock . Store , cfg * config . FleetConfig , appleStore * mdmmock . MDMAppleStore , commander * apple_mdm . MDMAppleCommander ) {
2024-02-22 19:23:12 +00:00
var wantCommandUUID string
ds . GetHostCertAssociationsToExpireFunc = func ( ctx context . Context , expiryDays int , limit int ) ( [ ] fleet . SCEPIdentityAssociation , error ) {
return [ ] fleet . SCEPIdentityAssociation { { HostUUID : "hostUUID1" , EnrollReference : "" } } , nil
}
2024-12-20 21:40:23 +00:00
appleStore . EnqueueCommandFunc = func ( ctx context . Context , id [ ] string , cmd * mdm . CommandWithSubtype ) ( map [ string ] error ,
2025-01-30 11:17:36 +00:00
error ,
) {
2024-12-20 21:40:23 +00:00
require . Equal ( t , "InstallProfile" , cmd . Command . Command . RequestType )
2024-02-22 19:23:12 +00:00
wantCommandUUID = cmd . CommandUUID
return map [ string ] error { } , nil
}
ds . SetCommandForPendingSCEPRenewalFunc = func ( ctx context . Context , assocs [ ] fleet . SCEPIdentityAssociation , cmdUUID string ) error {
require . Len ( t , assocs , 1 )
require . Equal ( t , "hostUUID1" , assocs [ 0 ] . HostUUID )
require . Equal ( t , cmdUUID , wantCommandUUID )
return nil
}
t . Cleanup ( func ( ) {
require . True ( t , appleStore . EnqueueCommandFuncInvoked )
require . True ( t , ds . SetCommandForPendingSCEPRenewalFuncInvoked )
} )
} ,
expectedError : false ,
} ,
{
name : "InstallProfile for hostsWithoutRefs fails" ,
2024-05-30 21:18:42 +00:00
customExpectations : func ( t * testing . T , ds * mock . Store , cfg * config . FleetConfig , appleStore * mdmmock . MDMAppleStore , commander * apple_mdm . MDMAppleCommander ) {
2024-02-22 19:23:12 +00:00
ds . GetHostCertAssociationsToExpireFunc = func ( ctx context . Context , expiryDays int , limit int ) ( [ ] fleet . SCEPIdentityAssociation , error ) {
return [ ] fleet . SCEPIdentityAssociation { { HostUUID : "hostUUID1" , EnrollReference : "" } } , nil
}
2024-12-20 21:40:23 +00:00
appleStore . EnqueueCommandFunc = func ( ctx context . Context , id [ ] string , cmd * mdm . CommandWithSubtype ) ( map [ string ] error ,
2025-01-30 11:17:36 +00:00
error ,
) {
2024-02-22 19:23:12 +00:00
return map [ string ] error { } , errors . New ( "foo" )
}
} ,
expectedError : true ,
} ,
{
name : "InstallProfile for hostsWithRefs" ,
2024-05-30 21:18:42 +00:00
customExpectations : func ( t * testing . T , ds * mock . Store , cfg * config . FleetConfig , appleStore * mdmmock . MDMAppleStore , commander * apple_mdm . MDMAppleCommander ) {
2024-02-22 19:23:12 +00:00
var wantCommandUUID string
ds . GetHostCertAssociationsToExpireFunc = func ( ctx context . Context , expiryDays int , limit int ) ( [ ] fleet . SCEPIdentityAssociation , error ) {
return [ ] fleet . SCEPIdentityAssociation { { HostUUID : "hostUUID2" , EnrollReference : "ref1" } } , nil
}
2024-12-20 21:40:23 +00:00
appleStore . EnqueueCommandFunc = func ( ctx context . Context , id [ ] string , cmd * mdm . CommandWithSubtype ) ( map [ string ] error ,
2025-01-30 11:17:36 +00:00
error ,
) {
2024-12-20 21:40:23 +00:00
require . Equal ( t , "InstallProfile" , cmd . Command . Command . RequestType )
2024-02-22 19:23:12 +00:00
wantCommandUUID = cmd . CommandUUID
return map [ string ] error { } , nil
}
ds . SetCommandForPendingSCEPRenewalFunc = func ( ctx context . Context , assocs [ ] fleet . SCEPIdentityAssociation , cmdUUID string ) error {
require . Len ( t , assocs , 1 )
require . Equal ( t , "hostUUID2" , assocs [ 0 ] . HostUUID )
require . Equal ( t , cmdUUID , wantCommandUUID )
return nil
}
t . Cleanup ( func ( ) {
require . True ( t , appleStore . EnqueueCommandFuncInvoked )
require . True ( t , ds . SetCommandForPendingSCEPRenewalFuncInvoked )
} )
} ,
expectedError : false ,
} ,
{
name : "InstallProfile for hostsWithRefs fails" ,
2024-05-30 21:18:42 +00:00
customExpectations : func ( t * testing . T , ds * mock . Store , cfg * config . FleetConfig , appleStore * mdmmock . MDMAppleStore , commander * apple_mdm . MDMAppleCommander ) {
2024-02-22 19:23:12 +00:00
ds . GetHostCertAssociationsToExpireFunc = func ( ctx context . Context , expiryDays int , limit int ) ( [ ] fleet . SCEPIdentityAssociation , error ) {
return [ ] fleet . SCEPIdentityAssociation { { HostUUID : "hostUUID1" , EnrollReference : "ref1" } } , nil
}
2024-12-20 21:40:23 +00:00
appleStore . EnqueueCommandFunc = func ( ctx context . Context , id [ ] string , cmd * mdm . CommandWithSubtype ) ( map [ string ] error ,
2025-01-30 11:17:36 +00:00
error ,
) {
2024-02-22 19:23:12 +00:00
return map [ string ] error { } , errors . New ( "foo" )
}
} ,
expectedError : true ,
} ,
2025-07-18 20:45:00 +00:00
{
name : "InstallProfile for userDeviceAssocs" ,
customExpectations : func ( t * testing . T , ds * mock . Store , cfg * config . FleetConfig , appleStore * mdmmock . MDMAppleStore , commander * apple_mdm . MDMAppleCommander ) {
wantCommandUUIDs := make ( map [ string ] string )
ds . GetHostCertAssociationsToExpireFunc = func ( ctx context . Context , expiryDays int , limit int ) ( [ ] fleet . SCEPIdentityAssociation , error ) {
return [ ] fleet . SCEPIdentityAssociation { { HostUUID : "hostUUID1" , EnrollmentType : "User Enrollment (Device)" } , { HostUUID : "hostUUID2" , EnrollmentType : "User Enrollment (Device)" } } , nil
}
user1Email := "user1@example.com"
user2Email := "user2@example.com"
ds . GetMDMIdPAccountsByHostUUIDsFunc = func ( ctx context . Context , hostUUIDs [ ] string ) ( map [ string ] * fleet . MDMIdPAccount , error ) {
require . Len ( t , hostUUIDs , 2 )
return map [ string ] * fleet . MDMIdPAccount {
"hostUUID2" : {
UUID : "userUUID2" ,
Username : "user2" ,
Email : user2Email ,
} ,
"hostUUID1" : {
UUID : "userUUID1" ,
Username : "user1" ,
Email : user1Email ,
} ,
} , nil
}
appleStore . EnqueueCommandFunc = func ( ctx context . Context , id [ ] string , cmd * mdm . CommandWithSubtype ) ( map [ string ] error ,
error ,
) {
require . Equal ( t , "InstallProfile" , cmd . Command . Command . RequestType )
require . Equal ( t , 1 , len ( id ) )
_ , idAlreadyExists := wantCommandUUIDs [ id [ 0 ] ]
// Should only get one for each host
require . False ( t , idAlreadyExists , "Command UUID for host %s already exists: %s" , id [ 0 ] , wantCommandUUIDs [ id [ 0 ] ] )
wantCommandUUIDs [ id [ 0 ] ] = cmd . CommandUUID
// Make sure the user's email made it into the profile
var fullCmd micromdm . CommandPayload
require . NoError ( t , plist . Unmarshal ( cmd . Raw , & fullCmd ) )
switch id [ 0 ] {
case "hostUUID1" :
require . True ( t , bytes . Contains ( fullCmd . Command . InstallProfile . Payload , [ ] byte ( user1Email ) ) , "The profile for hostUUID 1 should contain the associated user email" )
case "hostUUID2" :
require . True ( t , bytes . Contains ( fullCmd . Command . InstallProfile . Payload , [ ] byte ( user2Email ) ) , "The profile for hostUUID 2 should contain the associated user email" )
default :
require . Fail ( t , "Unexpected host ID for command: %s" , id [ 0 ] )
}
return map [ string ] error { } , nil
}
ds . SetCommandForPendingSCEPRenewalFunc = func ( ctx context . Context , assocs [ ] fleet . SCEPIdentityAssociation , cmdUUID string ) error {
require . Len ( t , assocs , 1 )
require . Contains ( t , [ ] string { "hostUUID1" , "hostUUID2" } , assocs [ 0 ] . HostUUID )
require . Equal ( t , cmdUUID , wantCommandUUIDs [ assocs [ 0 ] . HostUUID ] )
return nil
}
t . Cleanup ( func ( ) {
require . True ( t , appleStore . EnqueueCommandFuncInvoked )
require . True ( t , ds . SetCommandForPendingSCEPRenewalFuncInvoked )
} )
} ,
expectedError : false ,
} ,
{
name : "InstallProfile for userDeviceAssocs does not return email for one device" ,
customExpectations : func ( t * testing . T , ds * mock . Store , cfg * config . FleetConfig , appleStore * mdmmock . MDMAppleStore , commander * apple_mdm . MDMAppleCommander ) {
wantCommandUUIDs := make ( map [ string ] string )
ds . GetHostCertAssociationsToExpireFunc = func ( ctx context . Context , expiryDays int , limit int ) ( [ ] fleet . SCEPIdentityAssociation , error ) {
return [ ] fleet . SCEPIdentityAssociation { { HostUUID : "hostUUID1" , EnrollmentType : "User Enrollment (Device)" } , { HostUUID : "hostUUID2" , EnrollmentType : "User Enrollment (Device)" } } , nil
}
user1Email := "user1@example.com"
ds . GetMDMIdPAccountsByHostUUIDsFunc = func ( ctx context . Context , hostUUIDs [ ] string ) ( map [ string ] * fleet . MDMIdPAccount , error ) {
require . Len ( t , hostUUIDs , 2 )
return map [ string ] * fleet . MDMIdPAccount {
"hostUUID1" : {
UUID : "userUUID1" ,
Username : "user1" ,
Email : user1Email ,
} ,
} , nil
}
appleStore . EnqueueCommandFunc = func ( ctx context . Context , id [ ] string , cmd * mdm . CommandWithSubtype ) ( map [ string ] error ,
error ,
) {
require . Equal ( t , "InstallProfile" , cmd . Command . Command . RequestType )
require . Equal ( t , 1 , len ( id ) )
_ , idAlreadyExists := wantCommandUUIDs [ id [ 0 ] ]
// Should only get one for each host
require . False ( t , idAlreadyExists , "Command UUID for host %s already exists: %s" , id [ 0 ] , wantCommandUUIDs [ id [ 0 ] ] )
wantCommandUUIDs [ id [ 0 ] ] = cmd . CommandUUID
// Make sure the user's email made it into the profile if it was returned
var fullCmd micromdm . CommandPayload
require . NoError ( t , plist . Unmarshal ( cmd . Raw , & fullCmd ) )
switch id [ 0 ] {
// Only hostUUID1 has an email associated with it
// so we expect it to be present in the profile
case "hostUUID1" :
require . True ( t , bytes . Contains ( fullCmd . Command . InstallProfile . Payload , [ ] byte ( user1Email ) ) , "The profile for hostUUID 1 should contain the associated user email" )
case "hostUUID2" :
require . False ( t , bytes . Contains ( fullCmd . Command . InstallProfile . Payload , [ ] byte ( "@example.com" ) ) , "The profile for hostUUID 2 should not contain any user email" )
default :
require . Fail ( t , "Unexpected host ID for command: %s" , id [ 0 ] )
}
return map [ string ] error { } , nil
}
ds . SetCommandForPendingSCEPRenewalFunc = func ( ctx context . Context , assocs [ ] fleet . SCEPIdentityAssociation , cmdUUID string ) error {
require . Len ( t , assocs , 1 )
require . Contains ( t , [ ] string { "hostUUID1" , "hostUUID2" } , assocs [ 0 ] . HostUUID )
require . Equal ( t , cmdUUID , wantCommandUUIDs [ assocs [ 0 ] . HostUUID ] )
return nil
}
t . Cleanup ( func ( ) {
require . True ( t , appleStore . EnqueueCommandFuncInvoked )
require . True ( t , ds . SetCommandForPendingSCEPRenewalFuncInvoked )
} )
} ,
expectedError : false ,
} ,
{
name : "InstallProfile for userDeviceAssocs fails" ,
customExpectations : func ( t * testing . T , ds * mock . Store , cfg * config . FleetConfig , appleStore * mdmmock . MDMAppleStore , commander * apple_mdm . MDMAppleCommander ) {
ds . GetHostCertAssociationsToExpireFunc = func ( ctx context . Context , expiryDays int , limit int ) ( [ ] fleet . SCEPIdentityAssociation , error ) {
return [ ] fleet . SCEPIdentityAssociation { { HostUUID : "hostUUID1" , EnrollmentType : "User Enrollment (Device)" } , { HostUUID : "hostUUID2" , EnrollmentType : "User Enrollment (Device)" } } , nil
}
user1Email := "user1@example.com"
user2Email := "user2@example.com"
ds . GetMDMIdPAccountsByHostUUIDsFunc = func ( ctx context . Context , hostUUIDs [ ] string ) ( map [ string ] * fleet . MDMIdPAccount , error ) {
require . Len ( t , hostUUIDs , 2 )
return map [ string ] * fleet . MDMIdPAccount {
"hostUUID2" : {
UUID : "userUUID2" ,
Username : "user2" ,
Email : user2Email ,
} ,
"hostUUID1" : {
UUID : "userUUID1" ,
Username : "user1" ,
Email : user1Email ,
} ,
} , nil
}
appleStore . EnqueueCommandFunc = func ( ctx context . Context , id [ ] string , cmd * mdm . CommandWithSubtype ) ( map [ string ] error ,
error ,
) {
return map [ string ] error { } , errors . New ( "foo" )
}
} ,
expectedError : true ,
} ,
2024-02-22 19:23:12 +00:00
}
for _ , tc := range tests {
t . Run ( tc . name , func ( t * testing . T ) {
ctx , logger , ds , cfg , appleStorage , commander := setupTest ( t )
ds . AppConfigFunc = func ( ctx context . Context ) ( * fleet . AppConfig , error ) {
appCfg := & fleet . AppConfig { }
appCfg . OrgInfo . OrgName = "fl33t"
appCfg . ServerSettings . ServerURL = "https://foo.example.com"
2024-05-30 21:18:42 +00:00
appCfg . MDM . EnabledAndConfigured = true
2024-02-22 19:23:12 +00:00
return appCfg , nil
}
ds . GetHostCertAssociationsToExpireFunc = func ( ctx context . Context , expiryDays int , limit int ) ( [ ] fleet . SCEPIdentityAssociation , error ) {
return [ ] fleet . SCEPIdentityAssociation { } , nil
}
ds . SetCommandForPendingSCEPRenewalFunc = func ( ctx context . Context , assocs [ ] fleet . SCEPIdentityAssociation , cmdUUID string ) error {
return nil
}
appleStorage . RetrievePushInfoFunc = func ( ctx context . Context , targets [ ] string ) ( map [ string ] * mdm . Push , error ) {
pushes := make ( map [ string ] * mdm . Push , len ( targets ) )
for _ , uuid := range targets {
pushes [ uuid ] = & mdm . Push {
PushMagic : "magic" + uuid ,
Token : [ ] byte ( "token" + uuid ) ,
Topic : "topic" + uuid ,
}
}
return pushes , nil
}
appleStorage . RetrievePushCertFunc = func ( ctx context . Context , topic string ) ( * tls . Certificate , string , error ) {
2025-02-18 23:49:02 +00:00
apnsCert , apnsKey , err := mysql . GenerateTestCertBytes ( mdmtesting . NewTestMDMAppleCertTemplate ( ) )
2024-05-30 21:18:42 +00:00
require . NoError ( t , err )
cert , err := tls . X509KeyPair ( apnsCert , apnsKey )
2024-02-22 19:23:12 +00:00
return & cert , "" , err
}
tc . customExpectations ( t , ds , cfg , appleStorage , commander )
err := RenewSCEPCertificates ( ctx , logger , ds , cfg , commander )
if tc . expectedError {
require . Error ( t , err )
} else {
require . NoError ( t , err )
}
} )
}
}
2024-05-28 22:17:14 +00:00
func TestMDMCommandAndReportResultsIOSIPadOSRefetch ( t * testing . T ) {
ctx := context . Background ( )
hostID := uint ( 42 )
hostUUID := "ABC-DEF-GHI"
2024-08-21 13:51:04 +00:00
commandUUID := fleet . RefetchDeviceCommandUUIDPrefix + "UUID"
2024-05-28 22:17:14 +00:00
ds := new ( mock . Store )
svc := MDMAppleCheckinAndCommandService { ds : ds }
ds . HostByIdentifierFunc = func ( ctx context . Context , identifier string ) ( * fleet . Host , error ) {
return & fleet . Host {
ID : hostID ,
UUID : hostUUID ,
} , nil
}
ds . UpdateHostFunc = func ( ctx context . Context , host * fleet . Host ) error {
require . Equal ( t , "Work iPad" , host . ComputerName )
require . Equal ( t , "Work iPad" , host . Hostname )
require . Equal ( t , "iPadOS 17.5.1" , host . OSVersion )
require . Equal ( t , "ff:ff:ff:ff:ff:ff" , host . PrimaryMac )
require . Equal ( t , "iPad13,18" , host . HardwareModel )
require . WithinDuration ( t , time . Now ( ) , host . DetailUpdatedAt , 1 * time . Minute )
return nil
}
ds . SetOrUpdateHostDisksSpaceFunc = func ( ctx context . Context , hostID uint , gigsAvailable , percentAvailable , gigsTotal float64 ) error {
require . Equal ( t , hostID , hostID )
require . NotZero ( t , 51 , int64 ( gigsAvailable ) )
require . NotZero ( t , 79 , int64 ( percentAvailable ) )
require . NotZero ( t , 64 , int64 ( gigsTotal ) )
return nil
}
iOS/iPadOS as platforms/labels (#20126)
#19963
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [X] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [X] Added/updated tests
- [X] If database migrations are included, checked table schema to
confirm autoupdate
- For database migrations:
- [X] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [X] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [X] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
- [X] Manual QA for all new/changed functionality
---
# API changes for dashboard UI changes
## Main dashboard page
`GET /api/latest/fleet/host_summary?low_disk_space=32` (see
`ios`/`ipados` platforms and `iOS`/`iPadOS` labels)
```json
{
"totals_hosts_count": 9,
"online_count": 0,
"offline_count": 9,
"mia_count": 0,
"missing_30_days_count": 0,
"new_count": 0,
"all_linux_count": 2,
"low_disk_space_count": 3,
"builtin_labels": [
{
"id": 1,
"name": "macOS 14+ (Sonoma+)",
"description": "macOS hosts with version 14 and above",
"label_type": "builtin"
},
{
"id": 7,
"name": "All Hosts",
"description": "All hosts which have enrolled in Fleet",
"label_type": "builtin"
},
{
"id": 8,
"name": "macOS",
"description": "All macOS hosts",
"label_type": "builtin"
},
{
"id": 9,
"name": "Ubuntu Linux",
"description": "All Ubuntu hosts",
"label_type": "builtin"
},
{
"id": 10,
"name": "CentOS Linux",
"description": "All CentOS hosts",
"label_type": "builtin"
},
{
"id": 11,
"name": "MS Windows",
"description": "All Windows hosts",
"label_type": "builtin"
},
{
"id": 12,
"name": "Red Hat Linux",
"description": "All Red Hat Enterprise Linux hosts",
"label_type": "builtin"
},
{
"id": 13,
"name": "All Linux",
"description": "All Linux distributions",
"label_type": "builtin"
},
{
"id": 14,
"name": "chrome",
"description": "All Chrome hosts",
"label_type": "builtin"
},
{
"id": 15,
"name": "iOS",
"description": "All iOS hosts",
"label_type": "builtin"
},
{
"id": 16,
"name": "iPadOS",
"description": "All iPadOS hosts",
"label_type": "builtin"
}
],
"platforms": [
{
"platform": "darwin",
"hosts_count": 3
},
{
"platform": "ios",
"hosts_count": 1
},
{
"platform": "ipados",
"hosts_count": 1
},
{
"platform": "rhel",
"hosts_count": 1
},
{
"platform": "ubuntu",
"hosts_count": 1
},
{
"platform": "windows",
"hosts_count": 2
}
]
}
```
## After selecting a platform
`GET /api/latest/fleet/host_summary?platform=ios&low_disk_space=100`
(similar with `ipados`)
```json
{
"totals_hosts_count": 1,
"online_count": 0,
"offline_count": 1,
"mia_count": 0,
"missing_30_days_count": 0,
"new_count": 0,
"all_linux_count": 0,
"low_disk_space_count": 1,
"builtin_labels": [
{
"id": 1,
"name": "macOS 14+ (Sonoma+)",
"description": "macOS hosts with version 14 and above",
"label_type": "builtin"
},
{
"id": 7,
"name": "All Hosts",
"description": "All hosts which have enrolled in Fleet",
"label_type": "builtin"
},
{
"id": 8,
"name": "macOS",
"description": "All macOS hosts",
"label_type": "builtin"
},
{
"id": 9,
"name": "Ubuntu Linux",
"description": "All Ubuntu hosts",
"label_type": "builtin"
},
{
"id": 10,
"name": "CentOS Linux",
"description": "All CentOS hosts",
"label_type": "builtin"
},
{
"id": 11,
"name": "MS Windows",
"description": "All Windows hosts",
"label_type": "builtin"
},
{
"id": 12,
"name": "Red Hat Linux",
"description": "All Red Hat Enterprise Linux hosts",
"label_type": "builtin"
},
{
"id": 13,
"name": "All Linux",
"description": "All Linux distributions",
"label_type": "builtin"
},
{
"id": 14,
"name": "chrome",
"description": "All Chrome hosts",
"label_type": "builtin"
},
{
"id": 15,
"name": "iOS",
"description": "All iOS hosts",
"label_type": "builtin"
},
{
"id": 16,
"name": "iPadOS",
"description": "All iPadOS hosts",
"label_type": "builtin"
}
],
"platforms": [
{
"platform": "ios",
"hosts_count": 1
}
]
}
```
### To populate list of MDM solutions of a selected platform
`GET /api/latest/fleet/hosts/summary/mdm\?platform=ios` (similar with
`ipados`)
```json
{
"counts_updated_at": "2024-06-27T21:56:45Z",
"mobile_device_management_enrollment_status": {
"enrolled_manual_hosts_count": 0,
"enrolled_automated_hosts_count": 1,
"pending_hosts_count": 0,
"unenrolled_hosts_count": 0,
"hosts_count": 1
},
"mobile_device_management_solution": [
{
"id": 1,
"name": "Fleet",
"server_url": "https://lucas-fleet.ngrok.app/mdm/apple/mdm",
"hosts_count": 1
}
]
}
```
### To populate OS versions of a selected platform
`GET /api/latest/fleet/os_versions?platform=ipados` (similar with `ios`)
```json
{
"meta": {
"has_next_results": false,
"has_previous_results": false
},
"count": 1,
"counts_updated_at": "2024-06-27T21:36:12Z",
"os_versions": [
{
"os_version_id": 7,
"hosts_count": 1,
"name": "iPadOS 17.5.1",
"name_only": "iPadOS",
"version": "17.5.1",
"platform": "ipados",
"vulnerabilities": []
}
]
}
```
## Filtering hosts by the two new `iOS`/`iPadOS` labels
Works the same as with other labels.
2024-07-08 21:05:29 +00:00
ds . UpdateHostOperatingSystemFunc = func ( ctx context . Context , hostID uint , hostOS fleet . OperatingSystem ) error {
require . Equal ( t , hostID , hostID )
require . Equal ( t , "iPadOS" , hostOS . Name )
require . Equal ( t , "17.5.1" , hostOS . Version )
require . Equal ( t , "ipados" , hostOS . Platform )
return nil
}
2024-08-21 13:51:04 +00:00
ds . RemoveHostMDMCommandFunc = func ( ctx context . Context , command fleet . HostMDMCommand ) error {
assert . Equal ( t , hostID , command . HostID )
assert . Equal ( t , fleet . RefetchDeviceCommandUUIDPrefix , command . CommandType )
return nil
}
2024-05-28 22:17:14 +00:00
_ , err := svc . CommandAndReportResults (
& mdm . Request { Context : ctx } ,
& mdm . CommandResults {
Enrollment : mdm . Enrollment { UDID : hostUUID } ,
CommandUUID : commandUUID ,
Raw : [ ] byte ( ` < ? xml version = "1.0" encoding = "UTF-8" ? >
< ! DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd" >
< plist version = "1.0" >
< dict >
< key > CommandUUID < / key >
< string > REFETCH - fd23f8ac - 1 c50 - 41 c7 - a5bb - f13633c9ea97 < / string >
< key > QueryResponses < / key >
< dict >
< key > AvailableDeviceCapacity < / key >
< real > 51.260395520000003 < / real >
< key > DeviceCapacity < / key >
< real > 64 < / real >
< key > DeviceName < / key >
< string > Work iPad < / string >
< key > OSVersion < / key >
< string > 17.5 .1 < / string >
< key > ProductName < / key >
< string > iPad13 , 18 < / string >
< key > WiFiMAC < / key >
< string > ff : ff : ff : ff : ff : ff < / string >
< / dict >
< key > Status < / key >
< string > Acknowledged < / string >
< key > UDID < / key >
< string > FFFFFFFF - FFFFFFFFFFFFFFFF < / string >
< / dict >
< / plist > ` ) ,
} ,
)
require . NoError ( t , err )
require . True ( t , ds . UpdateHostFuncInvoked )
require . True ( t , ds . HostByIdentifierFuncInvoked )
require . True ( t , ds . SetOrUpdateHostDisksSpaceFuncInvoked )
iOS/iPadOS as platforms/labels (#20126)
#19963
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [X] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [X] Added/updated tests
- [X] If database migrations are included, checked table schema to
confirm autoupdate
- For database migrations:
- [X] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [X] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [X] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
- [X] Manual QA for all new/changed functionality
---
# API changes for dashboard UI changes
## Main dashboard page
`GET /api/latest/fleet/host_summary?low_disk_space=32` (see
`ios`/`ipados` platforms and `iOS`/`iPadOS` labels)
```json
{
"totals_hosts_count": 9,
"online_count": 0,
"offline_count": 9,
"mia_count": 0,
"missing_30_days_count": 0,
"new_count": 0,
"all_linux_count": 2,
"low_disk_space_count": 3,
"builtin_labels": [
{
"id": 1,
"name": "macOS 14+ (Sonoma+)",
"description": "macOS hosts with version 14 and above",
"label_type": "builtin"
},
{
"id": 7,
"name": "All Hosts",
"description": "All hosts which have enrolled in Fleet",
"label_type": "builtin"
},
{
"id": 8,
"name": "macOS",
"description": "All macOS hosts",
"label_type": "builtin"
},
{
"id": 9,
"name": "Ubuntu Linux",
"description": "All Ubuntu hosts",
"label_type": "builtin"
},
{
"id": 10,
"name": "CentOS Linux",
"description": "All CentOS hosts",
"label_type": "builtin"
},
{
"id": 11,
"name": "MS Windows",
"description": "All Windows hosts",
"label_type": "builtin"
},
{
"id": 12,
"name": "Red Hat Linux",
"description": "All Red Hat Enterprise Linux hosts",
"label_type": "builtin"
},
{
"id": 13,
"name": "All Linux",
"description": "All Linux distributions",
"label_type": "builtin"
},
{
"id": 14,
"name": "chrome",
"description": "All Chrome hosts",
"label_type": "builtin"
},
{
"id": 15,
"name": "iOS",
"description": "All iOS hosts",
"label_type": "builtin"
},
{
"id": 16,
"name": "iPadOS",
"description": "All iPadOS hosts",
"label_type": "builtin"
}
],
"platforms": [
{
"platform": "darwin",
"hosts_count": 3
},
{
"platform": "ios",
"hosts_count": 1
},
{
"platform": "ipados",
"hosts_count": 1
},
{
"platform": "rhel",
"hosts_count": 1
},
{
"platform": "ubuntu",
"hosts_count": 1
},
{
"platform": "windows",
"hosts_count": 2
}
]
}
```
## After selecting a platform
`GET /api/latest/fleet/host_summary?platform=ios&low_disk_space=100`
(similar with `ipados`)
```json
{
"totals_hosts_count": 1,
"online_count": 0,
"offline_count": 1,
"mia_count": 0,
"missing_30_days_count": 0,
"new_count": 0,
"all_linux_count": 0,
"low_disk_space_count": 1,
"builtin_labels": [
{
"id": 1,
"name": "macOS 14+ (Sonoma+)",
"description": "macOS hosts with version 14 and above",
"label_type": "builtin"
},
{
"id": 7,
"name": "All Hosts",
"description": "All hosts which have enrolled in Fleet",
"label_type": "builtin"
},
{
"id": 8,
"name": "macOS",
"description": "All macOS hosts",
"label_type": "builtin"
},
{
"id": 9,
"name": "Ubuntu Linux",
"description": "All Ubuntu hosts",
"label_type": "builtin"
},
{
"id": 10,
"name": "CentOS Linux",
"description": "All CentOS hosts",
"label_type": "builtin"
},
{
"id": 11,
"name": "MS Windows",
"description": "All Windows hosts",
"label_type": "builtin"
},
{
"id": 12,
"name": "Red Hat Linux",
"description": "All Red Hat Enterprise Linux hosts",
"label_type": "builtin"
},
{
"id": 13,
"name": "All Linux",
"description": "All Linux distributions",
"label_type": "builtin"
},
{
"id": 14,
"name": "chrome",
"description": "All Chrome hosts",
"label_type": "builtin"
},
{
"id": 15,
"name": "iOS",
"description": "All iOS hosts",
"label_type": "builtin"
},
{
"id": 16,
"name": "iPadOS",
"description": "All iPadOS hosts",
"label_type": "builtin"
}
],
"platforms": [
{
"platform": "ios",
"hosts_count": 1
}
]
}
```
### To populate list of MDM solutions of a selected platform
`GET /api/latest/fleet/hosts/summary/mdm\?platform=ios` (similar with
`ipados`)
```json
{
"counts_updated_at": "2024-06-27T21:56:45Z",
"mobile_device_management_enrollment_status": {
"enrolled_manual_hosts_count": 0,
"enrolled_automated_hosts_count": 1,
"pending_hosts_count": 0,
"unenrolled_hosts_count": 0,
"hosts_count": 1
},
"mobile_device_management_solution": [
{
"id": 1,
"name": "Fleet",
"server_url": "https://lucas-fleet.ngrok.app/mdm/apple/mdm",
"hosts_count": 1
}
]
}
```
### To populate OS versions of a selected platform
`GET /api/latest/fleet/os_versions?platform=ipados` (similar with `ios`)
```json
{
"meta": {
"has_next_results": false,
"has_previous_results": false
},
"count": 1,
"counts_updated_at": "2024-06-27T21:36:12Z",
"os_versions": [
{
"os_version_id": 7,
"hosts_count": 1,
"name": "iPadOS 17.5.1",
"name_only": "iPadOS",
"version": "17.5.1",
"platform": "ipados",
"vulnerabilities": []
}
]
}
```
## Filtering hosts by the two new `iOS`/`iPadOS` labels
Works the same as with other labels.
2024-07-08 21:05:29 +00:00
require . True ( t , ds . UpdateHostOperatingSystemFuncInvoked )
2024-08-21 13:51:04 +00:00
assert . True ( t , ds . RemoveHostMDMCommandFuncInvoked )
2024-05-28 22:17:14 +00:00
}
2024-07-28 14:17:27 +00:00
func TestUnmarshalAppList ( t * testing . T ) {
ctx := context . Background ( )
noApps := [ ] byte ( ` < ? xml version = "1.0" encoding = "UTF-8" ? >
< ! DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd" >
< plist version = "1.0" >
< dict >
< key > CommandUUID < / key >
< string > c05c1a68 - 4127 - 4 fde - b0da - 965 cbd63f88f < / string >
< key > InstalledApplicationList < / key >
< array / >
< key > Status < / key >
< string > Acknowledged < / string >
< key > UDID < / key >
< string > 0000 8030 - 000E6 D623CD2202E < / string >
< / dict >
< / plist > ` )
software , err := unmarshalAppList ( ctx , noApps , "ipados_apps" )
require . NoError ( t , err )
assert . Empty ( t , software )
apps := [ ] byte ( ` < ? xml version = "1.0" encoding = "UTF-8" ? >
< ! DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd" >
< plist version = "1.0" >
< dict >
< key > CommandUUID < / key >
< string > 21 ed54fc - 0e6 d - 4 fe3 - 8 c4f - feca0c548ce1 < / string >
< key > InstalledApplicationList < / key >
< array >
< dict >
< key > Identifier < / key >
< string > com . google . ios . youtube < / string >
< key > Name < / key >
< string > YouTube < / string >
< key > ShortVersion < / key >
< string > 19.29 .1 < / string >
< / dict >
< dict >
< key > Identifier < / key >
< string > com . evernote . iPhone . Evernote < / string >
< key > Name < / key >
< string > Evernote < / string >
2025-06-26 21:55:43 +00:00
< key > Installing < / key >
< false / >
2024-07-28 14:17:27 +00:00
< key > ShortVersion < / key >
< string > 10.98 .0 < / string >
< / dict >
< dict >
< key > Identifier < / key >
< string > com . netflix . Netflix < / string >
< key > Name < / key >
< string > Netflix < / string >
< key > ShortVersion < / key >
< string > 16.41 .0 < / string >
< / dict >
< / array >
< key > Status < / key >
< string > Acknowledged < / string >
< key > UDID < / key >
< string > 0000 8101 - 001514 810 EA3A01E < / string >
< / dict >
< / plist > ` )
expectedSoftware := [ ] fleet . Software {
{
Name : "YouTube" ,
Version : "19.29.1" ,
Source : "ios_apps" ,
BundleIdentifier : "com.google.ios.youtube" ,
} ,
{
Name : "Evernote" ,
Version : "10.98.0" ,
Source : "ios_apps" ,
BundleIdentifier : "com.evernote.iPhone.Evernote" ,
2025-06-26 21:55:43 +00:00
Installed : true ,
2024-07-28 14:17:27 +00:00
} ,
{
Name : "Netflix" ,
Version : "16.41.0" ,
Source : "ios_apps" ,
BundleIdentifier : "com.netflix.Netflix" ,
} ,
}
software , err = unmarshalAppList ( ctx , apps , "ios_apps" )
require . NoError ( t , err )
assert . ElementsMatch ( t , expectedSoftware , software )
}
2024-08-21 18:21:11 +00:00
func TestCheckMDMAppleEnrollmentWithMinimumOSVersion ( t * testing . T ) {
svc , ctx , ds := setupAppleMDMService ( t , & fleet . LicenseInfo { Tier : fleet . TierPremium } )
gdmf := httptest . NewServer ( http . HandlerFunc ( func ( w http . ResponseWriter , r * http . Request ) {
w . WriteHeader ( http . StatusOK )
// load the test data from the file
b , err := os . ReadFile ( "../mdm/apple/gdmf/testdata/gdmf.json" )
require . NoError ( t , err )
_ , err = w . Write ( b )
require . NoError ( t , err )
} ) )
defer gdmf . Close ( )
t . Setenv ( "FLEET_DEV_GDMF_URL" , gdmf . URL )
latestMacOSVersion := "14.6.1"
latestMacOSBuild := "23G93"
testCases := [ ] struct {
name string
machineInfo * fleet . MDMAppleMachineInfo
updateRequired * fleet . MDMAppleSoftwareUpdateRequiredDetails
err string
} {
{
name : "OS version is greater than latest" ,
machineInfo : & fleet . MDMAppleMachineInfo {
MDMCanRequestSoftwareUpdate : true ,
Product : "Mac15,7" ,
OSVersion : "14.6.2" ,
SupplementalBuildVersion : "IRRELEVANT" ,
SoftwareUpdateDeviceID : "J516sAP" ,
} ,
updateRequired : nil ,
} ,
{
name : "OS version is equal to latest" ,
machineInfo : & fleet . MDMAppleMachineInfo {
MDMCanRequestSoftwareUpdate : true ,
Product : "Mac15,7" ,
OSVersion : latestMacOSVersion ,
SupplementalBuildVersion : "IRRELEVANT" ,
SoftwareUpdateDeviceID : "J516sAP" ,
} ,
updateRequired : nil ,
} ,
{
name : "OS version is less than latest" ,
machineInfo : & fleet . MDMAppleMachineInfo {
MDMCanRequestSoftwareUpdate : true ,
Product : "Mac15,7" ,
OSVersion : "14.4" ,
SupplementalBuildVersion : "IRRELEVANT" ,
SoftwareUpdateDeviceID : "J516sAP" ,
} ,
updateRequired : & fleet . MDMAppleSoftwareUpdateRequiredDetails {
OSVersion : latestMacOSVersion ,
BuildVersion : latestMacOSBuild ,
} ,
} ,
{
name : "OS version is less than latest but MDM cannot request software update" ,
machineInfo : & fleet . MDMAppleMachineInfo {
MDMCanRequestSoftwareUpdate : false ,
Product : "Mac15,7" ,
OSVersion : "14.4" ,
SupplementalBuildVersion : "IRRELEVANT" ,
SoftwareUpdateDeviceID : "J516sAP" ,
} ,
updateRequired : nil ,
} ,
{
name : "no match for software update device ID" ,
machineInfo : & fleet . MDMAppleMachineInfo {
MDMCanRequestSoftwareUpdate : true ,
Product : "Mac15,7" ,
OSVersion : "14.4" ,
SupplementalBuildVersion : "IRRELEVANT" ,
SoftwareUpdateDeviceID : "INVALID" ,
} ,
updateRequired : nil ,
err : "" , // no error, allow enrollment to proceed without software update
} ,
{
name : "no machine info" ,
machineInfo : nil ,
updateRequired : nil ,
err : "" , // no error, allow enrollment to proceed without software update
} ,
{
name : "cannot parse OS version" ,
machineInfo : & fleet . MDMAppleMachineInfo {
MDMCanRequestSoftwareUpdate : true ,
Product : "Mac15,7" ,
OSVersion : "INVALID" ,
SupplementalBuildVersion : "IRRELEVANT" ,
SoftwareUpdateDeviceID : "J516sAP" ,
} ,
updateRequired : nil ,
2024-11-22 15:56:36 +00:00
err : "" , // no error, allow enrollment to proceed without software update
2024-08-21 18:21:11 +00:00
} ,
}
for _ , tt := range testCases {
t . Run ( tt . name , func ( t * testing . T ) {
t . Run ( "settings minimum equal to latest" , func ( t * testing . T ) {
ds . GetMDMAppleOSUpdatesSettingsByHostSerialFunc = func ( ctx context . Context , serial string ) ( * fleet . AppleOSUpdateSettings , error ) {
return & fleet . AppleOSUpdateSettings {
MinimumVersion : optjson . SetString ( latestMacOSVersion ) ,
} , nil
}
sur , err := svc . CheckMDMAppleEnrollmentWithMinimumOSVersion ( ctx , tt . machineInfo )
if tt . err != "" {
require . Error ( t , err )
require . Contains ( t , err . Error ( ) , tt . err )
} else {
require . NoError ( t , err )
}
if tt . updateRequired != nil {
require . Equal ( t , & fleet . MDMAppleSoftwareUpdateRequired {
Code : fleet . MDMAppleSoftwareUpdateRequiredCode ,
Details : * tt . updateRequired ,
} , sur )
} else {
require . Nil ( t , sur )
}
} )
t . Run ( "settings minimum below latest" , func ( t * testing . T ) {
ds . GetMDMAppleOSUpdatesSettingsByHostSerialFunc = func ( ctx context . Context , serial string ) ( * fleet . AppleOSUpdateSettings , error ) {
return & fleet . AppleOSUpdateSettings {
MinimumVersion : optjson . SetString ( "14.5" ) ,
} , nil
}
sur , err := svc . CheckMDMAppleEnrollmentWithMinimumOSVersion ( ctx , tt . machineInfo )
if tt . err != "" {
require . Error ( t , err )
require . Contains ( t , err . Error ( ) , tt . err )
} else {
require . NoError ( t , err )
}
if tt . updateRequired != nil {
require . Equal ( t , & fleet . MDMAppleSoftwareUpdateRequired {
Code : fleet . MDMAppleSoftwareUpdateRequiredCode ,
Details : * tt . updateRequired ,
} , sur )
} else {
require . Nil ( t , sur )
}
} )
t . Run ( "settings minimum above latest" , func ( t * testing . T ) {
// edge case, but in practice it would get treated as if minimum was equal to latest
ds . GetMDMAppleOSUpdatesSettingsByHostSerialFunc = func ( ctx context . Context , serial string ) ( * fleet . AppleOSUpdateSettings , error ) {
return & fleet . AppleOSUpdateSettings {
MinimumVersion : optjson . SetString ( "14.7" ) ,
} , nil
}
sur , err := svc . CheckMDMAppleEnrollmentWithMinimumOSVersion ( ctx , tt . machineInfo )
if tt . err != "" {
require . Error ( t , err )
require . Contains ( t , err . Error ( ) , tt . err )
} else {
require . NoError ( t , err )
}
if tt . updateRequired != nil {
require . Equal ( t , & fleet . MDMAppleSoftwareUpdateRequired {
Code : fleet . MDMAppleSoftwareUpdateRequiredCode ,
Details : * tt . updateRequired ,
} , sur )
} else {
require . Nil ( t , sur )
}
} )
t . Run ( "device above settings minimum" , func ( t * testing . T ) {
ds . GetMDMAppleOSUpdatesSettingsByHostSerialFunc = func ( ctx context . Context , serial string ) ( * fleet . AppleOSUpdateSettings , error ) {
return & fleet . AppleOSUpdateSettings {
MinimumVersion : optjson . SetString ( "14.1" ) ,
} , nil
}
sur , err := svc . CheckMDMAppleEnrollmentWithMinimumOSVersion ( ctx , tt . machineInfo )
if tt . err != "" {
require . Error ( t , err )
require . Contains ( t , err . Error ( ) , tt . err )
} else {
require . NoError ( t , err )
}
require . Nil ( t , sur )
} )
t . Run ( "minimum not set" , func ( t * testing . T ) {
ds . GetMDMAppleOSUpdatesSettingsByHostSerialFunc = func ( ctx context . Context , serial string ) ( * fleet . AppleOSUpdateSettings , error ) {
return & fleet . AppleOSUpdateSettings { } , nil
}
sur , err := svc . CheckMDMAppleEnrollmentWithMinimumOSVersion ( ctx , tt . machineInfo )
require . NoError ( t , err )
require . Nil ( t , sur )
ds . GetMDMAppleOSUpdatesSettingsByHostSerialFunc = func ( ctx context . Context , serial string ) ( * fleet . AppleOSUpdateSettings , error ) {
return & fleet . AppleOSUpdateSettings {
MinimumVersion : optjson . SetString ( "" ) ,
} , nil
}
sur , err = svc . CheckMDMAppleEnrollmentWithMinimumOSVersion ( ctx , tt . machineInfo )
require . NoError ( t , err )
require . Nil ( t , sur )
} )
t . Run ( "minimum not found" , func ( t * testing . T ) {
ds . GetMDMAppleOSUpdatesSettingsByHostSerialFunc = func ( ctx context . Context , serial string ) ( * fleet . AppleOSUpdateSettings , error ) {
return nil , & notFoundError { }
}
sur , err := svc . CheckMDMAppleEnrollmentWithMinimumOSVersion ( ctx , tt . machineInfo )
require . NoError ( t , err )
require . Nil ( t , sur )
} )
} )
}
t . Run ( "gdmf server is down" , func ( t * testing . T ) {
gdmf . Close ( )
for _ , tt := range testCases {
t . Run ( tt . name , func ( t * testing . T ) {
ds . GetMDMAppleOSUpdatesSettingsByHostSerialFunc = func ( ctx context . Context , serial string ) ( * fleet . AppleOSUpdateSettings , error ) {
return & fleet . AppleOSUpdateSettings { MinimumVersion : optjson . SetString ( latestMacOSVersion ) } , nil
}
sur , err := svc . CheckMDMAppleEnrollmentWithMinimumOSVersion ( ctx , tt . machineInfo )
if tt . err != "" {
require . Error ( t , err )
require . Contains ( t , err . Error ( ) , tt . err ) // still can get errors parsing the versions from the device info header or config settings
} else {
require . NoError ( t , err )
}
require . Nil ( t , sur ) // if gdmf server is down, we don't enforce os updates for DEP
} )
}
} )
}
2025-03-19 13:27:55 +00:00
2025-04-22 13:09:00 +00:00
func TestPreprocessProfileContentsEndUserIDP ( t * testing . T ) {
ctx := context . Background ( )
logger := kitlog . NewNopLogger ( )
appCfg := & fleet . AppConfig { }
appCfg . ServerSettings . ServerURL = "https://test.example.com"
appCfg . MDM . EnabledAndConfigured = true
ds := new ( mock . Store )
svc := eeservice . NewSCEPConfigService ( logger , nil )
digiCertService := digicert . NewService ( digicert . WithLogger ( logger ) )
hostUUID := "host-1"
cmdUUID := "cmd-1"
var targets map [ string ] * cmdTarget
// this is a func to re-create it each time because calling the preprocess function modifies this
populateTargets := func ( ) {
targets = map [ string ] * cmdTarget {
2025-06-16 20:46:38 +00:00
"p1" : { cmdUUID : cmdUUID , profIdent : "com.add.profile" , enrollmentIDs : [ ] string { hostUUID } } ,
2025-04-22 13:09:00 +00:00
}
}
hostProfilesToInstallMap := map [ hostProfileUUID ] * fleet . MDMAppleBulkUpsertHostProfilePayload {
2025-04-30 19:31:45 +00:00
{ HostUUID : hostUUID , ProfileUUID : "p1" } : {
2025-04-22 13:09:00 +00:00
ProfileUUID : "p1" ,
ProfileIdentifier : "com.add.profile" ,
HostUUID : hostUUID ,
OperationType : fleet . MDMOperationTypeInstall ,
Status : & fleet . MDMDeliveryPending ,
CommandUUID : cmdUUID ,
} ,
}
2025-06-16 20:46:38 +00:00
userEnrollmentsToHostUUIDsMap := make ( map [ string ] string )
2025-04-22 13:09:00 +00:00
var updatedPayload * fleet . MDMAppleBulkUpsertHostProfilePayload
var expectedStatus fleet . MDMDeliveryStatus
ds . BulkUpsertMDMAppleHostProfilesFunc = func ( ctx context . Context , payload [ ] * fleet . MDMAppleBulkUpsertHostProfilePayload ) error {
require . Len ( t , payload , 1 )
updatedPayload = payload [ 0 ]
require . NotNil ( t , updatedPayload . Status )
assert . Equal ( t , expectedStatus , * updatedPayload . Status )
// cmdUUID was replaced by a new unique command on success
assert . NotEqual ( t , cmdUUID , updatedPayload . CommandUUID )
assert . Equal ( t , hostUUID , updatedPayload . HostUUID )
assert . Equal ( t , fleet . MDMOperationTypeInstall , updatedPayload . OperationType )
return nil
}
ds . HostIDsByIdentifierFunc = func ( ctx context . Context , filter fleet . TeamFilter , idents [ ] string ) ( [ ] uint , error ) {
require . Len ( t , idents , 1 )
require . Equal ( t , hostUUID , idents [ 0 ] )
return [ ] uint { 1 } , nil
}
var updatedProfile * fleet . HostMDMAppleProfile
ds . UpdateOrDeleteHostMDMAppleProfileFunc = func ( ctx context . Context , profile * fleet . HostMDMAppleProfile ) error {
updatedProfile = profile
require . NotNil ( t , profile . Status )
assert . Equal ( t , expectedStatus , * profile . Status )
return nil
}
2025-09-04 16:39:41 +00:00
ds . GetAllCertificateAuthoritiesFunc = func ( ctx context . Context , includeSecrets bool ) ( [ ] * fleet . CertificateAuthority , error ) {
return [ ] * fleet . CertificateAuthority { } , nil
}
2025-04-22 13:09:00 +00:00
cases := [ ] struct {
desc string
profileContent string
expectedStatus fleet . MDMDeliveryStatus
setup func ( )
assert func ( output string )
} {
{
desc : "username only scim" ,
2025-08-10 10:24:38 +00:00
profileContent : "$FLEET_VAR_" + string ( fleet . FleetVarHostEndUserIDPUsername ) ,
2025-04-22 13:09:00 +00:00
expectedStatus : fleet . MDMDeliveryPending ,
setup : func ( ) {
ds . ScimUserByHostIDFunc = func ( ctx context . Context , hostID uint ) ( * fleet . ScimUser , error ) {
require . EqualValues ( t , 1 , hostID )
return & fleet . ScimUser { UserName : "user1@example.com" , Groups : [ ] fleet . ScimUserGroup { } } , nil
}
ds . ListHostDeviceMappingFunc = func ( ctx context . Context , id uint ) ( [ ] * fleet . HostDeviceMapping , error ) {
return nil , nil
}
} ,
assert : func ( output string ) {
assert . Empty ( t , updatedPayload . Detail ) // no error detail
assert . Len ( t , targets , 1 ) // target is still present
require . Equal ( t , "user1@example.com" , output )
} ,
} ,
{
desc : "username local part only scim" ,
2025-08-10 10:24:38 +00:00
profileContent : "$FLEET_VAR_" + string ( fleet . FleetVarHostEndUserIDPUsernameLocalPart ) ,
2025-04-22 13:09:00 +00:00
expectedStatus : fleet . MDMDeliveryPending ,
setup : func ( ) {
ds . ScimUserByHostIDFunc = func ( ctx context . Context , hostID uint ) ( * fleet . ScimUser , error ) {
require . EqualValues ( t , 1 , hostID )
return & fleet . ScimUser { UserName : "user1@example.com" , Groups : [ ] fleet . ScimUserGroup { } } , nil
}
ds . ListHostDeviceMappingFunc = func ( ctx context . Context , id uint ) ( [ ] * fleet . HostDeviceMapping , error ) {
return nil , nil
}
} ,
assert : func ( output string ) {
assert . Empty ( t , updatedPayload . Detail ) // no error detail
assert . Len ( t , targets , 1 ) // target is still present
require . Equal ( t , "user1" , output )
} ,
} ,
{
desc : "groups only scim" ,
2025-08-10 10:24:38 +00:00
profileContent : "$FLEET_VAR_" + string ( fleet . FleetVarHostEndUserIDPGroups ) ,
2025-04-22 13:09:00 +00:00
expectedStatus : fleet . MDMDeliveryPending ,
setup : func ( ) {
ds . ScimUserByHostIDFunc = func ( ctx context . Context , hostID uint ) ( * fleet . ScimUser , error ) {
require . EqualValues ( t , 1 , hostID )
return & fleet . ScimUser { UserName : "user1@example.com" , Groups : [ ] fleet . ScimUserGroup {
{ DisplayName : "a" } ,
{ DisplayName : "b" } ,
} } , nil
}
ds . ListHostDeviceMappingFunc = func ( ctx context . Context , id uint ) ( [ ] * fleet . HostDeviceMapping , error ) {
return nil , nil
}
} ,
assert : func ( output string ) {
assert . Empty ( t , updatedPayload . Detail ) // no error detail
assert . Len ( t , targets , 1 ) // target is still present
require . Equal ( t , "a,b" , output )
} ,
} ,
{
desc : "multiple times username only scim" ,
2025-08-10 10:24:38 +00:00
profileContent : strings . Repeat ( "${FLEET_VAR_" + string ( fleet . FleetVarHostEndUserIDPUsername ) + "}" , 3 ) ,
2025-04-22 13:09:00 +00:00
expectedStatus : fleet . MDMDeliveryPending ,
setup : func ( ) {
ds . ScimUserByHostIDFunc = func ( ctx context . Context , hostID uint ) ( * fleet . ScimUser , error ) {
require . EqualValues ( t , 1 , hostID )
return & fleet . ScimUser { UserName : "user1@example.com" , Groups : [ ] fleet . ScimUserGroup { } } , nil
}
ds . ListHostDeviceMappingFunc = func ( ctx context . Context , id uint ) ( [ ] * fleet . HostDeviceMapping , error ) {
return nil , nil
}
} ,
assert : func ( output string ) {
assert . Empty ( t , updatedPayload . Detail ) // no error detail
assert . Len ( t , targets , 1 ) // target is still present
require . Equal ( t , "user1@example.comuser1@example.comuser1@example.com" , output )
} ,
} ,
{
desc : "all 3 vars with scim" ,
2025-08-10 10:24:38 +00:00
profileContent : "${FLEET_VAR_" + string ( fleet . FleetVarHostEndUserIDPUsername ) + "}${FLEET_VAR_" + string ( fleet . FleetVarHostEndUserIDPUsernameLocalPart ) + "}${FLEET_VAR_" + string ( fleet . FleetVarHostEndUserIDPGroups ) + "}" ,
2025-04-22 13:09:00 +00:00
expectedStatus : fleet . MDMDeliveryPending ,
setup : func ( ) {
ds . ScimUserByHostIDFunc = func ( ctx context . Context , hostID uint ) ( * fleet . ScimUser , error ) {
require . EqualValues ( t , 1 , hostID )
return & fleet . ScimUser { UserName : "user1@example.com" , Groups : [ ] fleet . ScimUserGroup {
{ DisplayName : "a" } ,
{ DisplayName : "b" } ,
} } , nil
}
ds . ListHostDeviceMappingFunc = func ( ctx context . Context , id uint ) ( [ ] * fleet . HostDeviceMapping , error ) {
return nil , nil
}
} ,
assert : func ( output string ) {
assert . Empty ( t , updatedPayload . Detail ) // no error detail
assert . Len ( t , targets , 1 ) // target is still present
require . Equal ( t , "user1@example.comuser1a,b" , output )
} ,
} ,
{
desc : "username no scim, with idp" ,
2025-08-10 10:24:38 +00:00
profileContent : "$FLEET_VAR_" + string ( fleet . FleetVarHostEndUserIDPUsername ) ,
2025-04-22 13:09:00 +00:00
expectedStatus : fleet . MDMDeliveryPending ,
setup : func ( ) {
ds . ScimUserByHostIDFunc = func ( ctx context . Context , hostID uint ) ( * fleet . ScimUser , error ) {
return nil , newNotFoundError ( )
}
ds . ListHostDeviceMappingFunc = func ( ctx context . Context , id uint ) ( [ ] * fleet . HostDeviceMapping , error ) {
return [ ] * fleet . HostDeviceMapping {
{ Email : "idp@example.com" , Source : fleet . DeviceMappingMDMIdpAccounts } ,
{ Email : "other@example.com" , Source : fleet . DeviceMappingGoogleChromeProfiles } ,
} , nil
}
} ,
assert : func ( output string ) {
assert . Empty ( t , updatedPayload . Detail ) // no error detail
assert . Len ( t , targets , 1 ) // target is still present
require . Equal ( t , "idp@example.com" , output )
} ,
} ,
{
desc : "username scim and idp" ,
2025-08-10 10:24:38 +00:00
profileContent : "$FLEET_VAR_" + string ( fleet . FleetVarHostEndUserIDPUsername ) ,
2025-04-22 13:09:00 +00:00
expectedStatus : fleet . MDMDeliveryPending ,
setup : func ( ) {
ds . ScimUserByHostIDFunc = func ( ctx context . Context , hostID uint ) ( * fleet . ScimUser , error ) {
return & fleet . ScimUser { UserName : "user1@example.com" , Groups : [ ] fleet . ScimUserGroup { } } , nil
}
ds . ListHostDeviceMappingFunc = func ( ctx context . Context , id uint ) ( [ ] * fleet . HostDeviceMapping , error ) {
return [ ] * fleet . HostDeviceMapping {
{ Email : "idp@example.com" , Source : fleet . DeviceMappingMDMIdpAccounts } ,
{ Email : "other@example.com" , Source : fleet . DeviceMappingGoogleChromeProfiles } ,
} , nil
}
} ,
assert : func ( output string ) {
assert . Empty ( t , updatedPayload . Detail ) // no error detail
assert . Len ( t , targets , 1 ) // target is still present
require . Equal ( t , "user1@example.com" , output )
} ,
} ,
{
2025-06-30 15:08:36 +00:00
desc : "username, no idp user" ,
2025-08-10 10:24:38 +00:00
profileContent : "$FLEET_VAR_" + string ( fleet . FleetVarHostEndUserIDPUsername ) ,
2025-04-22 13:09:00 +00:00
expectedStatus : fleet . MDMDeliveryFailed ,
setup : func ( ) {
ds . ScimUserByHostIDFunc = func ( ctx context . Context , hostID uint ) ( * fleet . ScimUser , error ) {
return nil , newNotFoundError ( )
}
ds . ListHostDeviceMappingFunc = func ( ctx context . Context , id uint ) ( [ ] * fleet . HostDeviceMapping , error ) {
return [ ] * fleet . HostDeviceMapping {
{ Email : "other@example.com" , Source : fleet . DeviceMappingGoogleChromeProfiles } ,
} , nil
}
} ,
assert : func ( output string ) {
assert . Len ( t , targets , 0 ) // target is not present
2025-08-10 10:24:38 +00:00
assert . Contains ( t , updatedProfile . Detail , "There is no IdP username for this host. Fleet couldn't populate $FLEET_VAR_HOST_END_USER_IDP_USERNAME." )
2025-04-22 13:09:00 +00:00
} ,
} ,
{
2025-06-30 15:08:36 +00:00
desc : "username local part, no idp user" ,
2025-08-10 10:24:38 +00:00
profileContent : "$FLEET_VAR_" + string ( fleet . FleetVarHostEndUserIDPUsernameLocalPart ) ,
2025-04-22 13:09:00 +00:00
expectedStatus : fleet . MDMDeliveryFailed ,
setup : func ( ) {
ds . ScimUserByHostIDFunc = func ( ctx context . Context , hostID uint ) ( * fleet . ScimUser , error ) {
return nil , newNotFoundError ( )
}
ds . ListHostDeviceMappingFunc = func ( ctx context . Context , id uint ) ( [ ] * fleet . HostDeviceMapping , error ) {
return [ ] * fleet . HostDeviceMapping {
{ Email : "other@example.com" , Source : fleet . DeviceMappingGoogleChromeProfiles } ,
} , nil
}
} ,
assert : func ( output string ) {
assert . Len ( t , targets , 0 ) // target is not present
2025-08-10 10:24:38 +00:00
assert . Contains ( t , updatedProfile . Detail , "There is no IdP username for this host. Fleet couldn't populate $FLEET_VAR_HOST_END_USER_IDP_USERNAME_LOCAL_PART." )
2025-04-22 13:09:00 +00:00
} ,
} ,
{
2025-06-30 15:08:36 +00:00
desc : "groups, no idp user" ,
2025-08-10 10:24:38 +00:00
profileContent : "$FLEET_VAR_" + string ( fleet . FleetVarHostEndUserIDPGroups ) ,
2025-04-22 13:09:00 +00:00
expectedStatus : fleet . MDMDeliveryFailed ,
setup : func ( ) {
ds . ScimUserByHostIDFunc = func ( ctx context . Context , hostID uint ) ( * fleet . ScimUser , error ) {
return nil , newNotFoundError ( )
}
ds . ListHostDeviceMappingFunc = func ( ctx context . Context , id uint ) ( [ ] * fleet . HostDeviceMapping , error ) {
return [ ] * fleet . HostDeviceMapping { } , nil
}
} ,
assert : func ( output string ) {
assert . Len ( t , targets , 0 ) // target is not present
assert . Contains ( t , updatedProfile . Detail , "There is no IdP groups for this host. Fleet couldn’ )
} ,
} ,
2025-06-30 15:08:36 +00:00
{
desc : "department, no idp user" ,
2025-08-10 10:24:38 +00:00
profileContent : "$FLEET_VAR_" + string ( fleet . FleetVarHostEndUserIDPDepartment ) ,
2025-06-30 15:08:36 +00:00
expectedStatus : fleet . MDMDeliveryFailed ,
setup : func ( ) {
ds . ScimUserByHostIDFunc = func ( ctx context . Context , hostID uint ) ( * fleet . ScimUser , error ) {
return nil , newNotFoundError ( )
}
ds . ListHostDeviceMappingFunc = func ( ctx context . Context , id uint ) ( [ ] * fleet . HostDeviceMapping , error ) {
return [ ] * fleet . HostDeviceMapping { } , nil
}
} ,
assert : func ( output string ) {
assert . Len ( t , targets , 0 ) // target is not present
assert . Contains ( t , updatedProfile . Detail , "There is no IdP department for this host. Fleet couldn’ )
} ,
} ,
2025-04-22 13:09:00 +00:00
{
desc : "groups with scim user but no group" ,
2025-08-10 10:24:38 +00:00
profileContent : "$FLEET_VAR_" + string ( fleet . FleetVarHostEndUserIDPGroups ) ,
2025-04-22 13:09:00 +00:00
expectedStatus : fleet . MDMDeliveryFailed ,
setup : func ( ) {
ds . ScimUserByHostIDFunc = func ( ctx context . Context , hostID uint ) ( * fleet . ScimUser , error ) {
return & fleet . ScimUser { UserName : "user1@example.com" , Groups : [ ] fleet . ScimUserGroup { } } , nil
}
ds . ListHostDeviceMappingFunc = func ( ctx context . Context , id uint ) ( [ ] * fleet . HostDeviceMapping , error ) {
return [ ] * fleet . HostDeviceMapping { } , nil
}
} ,
assert : func ( output string ) {
assert . Len ( t , targets , 0 ) // target is not present
assert . Contains ( t , updatedProfile . Detail , "There is no IdP groups for this host. Fleet couldn’ )
} ,
} ,
2025-06-29 18:23:03 +00:00
{
desc : "profile with scim department" ,
2025-08-10 10:24:38 +00:00
profileContent : "$FLEET_VAR_" + string ( fleet . FleetVarHostEndUserIDPDepartment ) ,
2025-06-29 18:23:03 +00:00
expectedStatus : fleet . MDMDeliveryPending ,
setup : func ( ) {
ds . ScimUserByHostIDFunc = func ( ctx context . Context , hostID uint ) ( * fleet . ScimUser , error ) {
require . EqualValues ( t , 1 , hostID )
return & fleet . ScimUser {
UserName : "user1@example.com" ,
Groups : [ ] fleet . ScimUserGroup { } ,
Department : ptr . String ( "Engineering" ) ,
} , nil
}
ds . ListHostDeviceMappingFunc = func ( ctx context . Context , id uint ) ( [ ] * fleet . HostDeviceMapping , error ) {
return nil , nil
}
} ,
assert : func ( output string ) {
assert . Empty ( t , updatedPayload . Detail ) // no error detail
assert . Len ( t , targets , 1 ) // target is still present
require . Equal ( t , "Engineering" , output )
} ,
} ,
{
2025-06-30 15:08:36 +00:00
desc : "profile with scim department, user has no department" ,
2025-08-10 10:24:38 +00:00
profileContent : "$FLEET_VAR_" + string ( fleet . FleetVarHostEndUserIDPDepartment ) ,
2025-06-30 15:08:36 +00:00
expectedStatus : fleet . MDMDeliveryFailed ,
2025-06-29 18:23:03 +00:00
setup : func ( ) {
ds . ScimUserByHostIDFunc = func ( ctx context . Context , hostID uint ) ( * fleet . ScimUser , error ) {
require . EqualValues ( t , 1 , hostID )
return & fleet . ScimUser {
UserName : "user1@example.com" ,
Groups : [ ] fleet . ScimUserGroup { } ,
Department : nil ,
} , nil
}
ds . ListHostDeviceMappingFunc = func ( ctx context . Context , id uint ) ( [ ] * fleet . HostDeviceMapping , error ) {
return nil , nil
}
} ,
assert : func ( output string ) {
2025-06-30 15:08:36 +00:00
assert . Len ( t , targets , 0 ) // target is not present
assert . Contains ( t , updatedProfile . Detail , "There is no IdP department for this host. Fleet couldn’ )
2025-06-29 18:23:03 +00:00
} ,
} ,
2025-08-26 15:55:58 +00:00
{
desc : "profile with scim full name, user has full name" ,
profileContent : "$FLEET_VAR_" + string ( fleet . FleetVarHostEndUserIDPFullname ) ,
expectedStatus : fleet . MDMDeliveryPending ,
setup : func ( ) {
ds . ScimUserByHostIDFunc = func ( ctx context . Context , hostID uint ) ( * fleet . ScimUser , error ) {
require . EqualValues ( t , 1 , hostID )
return & fleet . ScimUser {
UserName : "fake" ,
GivenName : ptr . String ( "First" ) ,
FamilyName : ptr . String ( "Last" ) ,
} , nil
}
ds . ListHostDeviceMappingFunc = func ( ctx context . Context , id uint ) ( [ ] * fleet . HostDeviceMapping , error ) {
return nil , nil
}
} ,
assert : func ( output string ) {
assert . Empty ( t , updatedPayload . Detail ) // no error detail
assert . Len ( t , targets , 1 ) // target is still present
require . Equal ( t , "First Last" , output )
} ,
} ,
{
desc : "profile with scim full name, user only has given name" ,
profileContent : "$FLEET_VAR_" + string ( fleet . FleetVarHostEndUserIDPFullname ) ,
expectedStatus : fleet . MDMDeliveryPending ,
setup : func ( ) {
ds . ScimUserByHostIDFunc = func ( ctx context . Context , hostID uint ) ( * fleet . ScimUser , error ) {
require . EqualValues ( t , 1 , hostID )
return & fleet . ScimUser {
UserName : "fake" ,
GivenName : ptr . String ( "First" ) ,
} , nil
}
ds . ListHostDeviceMappingFunc = func ( ctx context . Context , id uint ) ( [ ] * fleet . HostDeviceMapping , error ) {
return nil , nil
}
} ,
assert : func ( output string ) {
assert . Empty ( t , updatedPayload . Detail ) // no error detail
assert . Len ( t , targets , 1 ) // target is still present
require . Equal ( t , "First" , output )
} ,
} ,
{
desc : "profile with scim full name, user only has family name" ,
profileContent : "$FLEET_VAR_" + string ( fleet . FleetVarHostEndUserIDPFullname ) ,
expectedStatus : fleet . MDMDeliveryPending ,
setup : func ( ) {
ds . ScimUserByHostIDFunc = func ( ctx context . Context , hostID uint ) ( * fleet . ScimUser , error ) {
require . EqualValues ( t , 1 , hostID )
return & fleet . ScimUser {
UserName : "fake" ,
FamilyName : ptr . String ( "Last" ) ,
} , nil
}
ds . ListHostDeviceMappingFunc = func ( ctx context . Context , id uint ) ( [ ] * fleet . HostDeviceMapping , error ) {
return nil , nil
}
} ,
assert : func ( output string ) {
assert . Empty ( t , updatedPayload . Detail ) // no error detail
assert . Len ( t , targets , 1 ) // target is still present
require . Equal ( t , "Last" , output )
} ,
} ,
{
desc : "profile with scim full name, user has no full name value" ,
profileContent : "$FLEET_VAR_" + string ( fleet . FleetVarHostEndUserIDPFullname ) ,
expectedStatus : fleet . MDMDeliveryFailed ,
setup : func ( ) {
ds . ScimUserByHostIDFunc = func ( ctx context . Context , hostID uint ) ( * fleet . ScimUser , error ) {
require . EqualValues ( t , 1 , hostID )
return & fleet . ScimUser {
UserName : "fake" ,
} , nil
}
ds . ListHostDeviceMappingFunc = func ( ctx context . Context , id uint ) ( [ ] * fleet . HostDeviceMapping , error ) {
return nil , nil
}
} ,
assert : func ( output string ) {
assert . Contains ( t , updatedProfile . Detail , fmt . Sprintf ( "There is no IdP full name for this host. Fleet couldn’ , fleet . FleetVarHostEndUserIDPFullname ) )
assert . Len ( t , targets , 0 )
} ,
} ,
2025-04-22 13:09:00 +00:00
}
for _ , c := range cases {
t . Run ( c . desc , func ( t * testing . T ) {
c . setup ( )
profileContents := map [ string ] mobileconfig . Mobileconfig {
"p1" : [ ] byte ( c . profileContent ) ,
}
populateTargets ( )
expectedStatus = c . expectedStatus
updatedPayload = nil
updatedProfile = nil
2025-09-04 16:39:41 +00:00
err := preprocessProfileContents ( ctx , appCfg , ds , svc , digiCertService , logger , targets , profileContents , hostProfilesToInstallMap , userEnrollmentsToHostUUIDsMap , nil )
2025-04-22 13:09:00 +00:00
require . NoError ( t , err )
var output string
if expectedStatus == fleet . MDMDeliveryFailed {
require . Nil ( t , updatedPayload )
require . NotNil ( t , updatedProfile )
} else {
require . NotNil ( t , updatedPayload )
require . Nil ( t , updatedProfile )
output = string ( profileContents [ updatedPayload . CommandUUID ] )
}
c . assert ( output )
} )
}
}
2025-08-11 12:47:55 +00:00
func TestValidateConfigProfileFleetVariablesLicense ( t * testing . T ) {
t . Parallel ( )
profileWithVars := ` < ? xml version = "1.0" encoding = "UTF-8" ? >
< ! DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd" >
< plist version = "1.0" >
< dict >
< key > PayloadDescription < / key >
< string > Test profile with Fleet variable < / string >
< key > PayloadDisplayName < / key >
< string > Test Profile < / string >
< key > PayloadContent < / key >
< array >
< dict >
< key > ComputerName < / key >
< string > $ FLEET_VAR_HOST_END_USER_EMAIL_IDP < / string >
< / dict >
< / array >
< / dict >
< / plist > `
// Test with free license
freeLic := & fleet . LicenseInfo { Tier : fleet . TierFree }
2025-09-04 16:39:41 +00:00
_ , err := validateConfigProfileFleetVariables ( profileWithVars , freeLic , nil )
2025-08-11 12:47:55 +00:00
require . ErrorIs ( t , err , fleet . ErrMissingLicense )
// Test with premium license
premiumLic := & fleet . LicenseInfo { Tier : fleet . TierPremium }
2025-09-04 16:39:41 +00:00
vars , err := validateConfigProfileFleetVariables ( profileWithVars , premiumLic , & fleet . GroupedCertificateAuthorities { } )
2025-08-11 12:47:55 +00:00
require . NoError ( t , err )
require . Contains ( t , vars , "HOST_END_USER_EMAIL_IDP" )
// Test profile without variables (should work with free license)
profileNoVars := ` < ? xml version = "1.0" encoding = "UTF-8" ? >
< ! DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd" >
< plist version = "1.0" >
< dict >
< key > PayloadDescription < / key >
< string > Test profile without Fleet variables < / string >
< key > PayloadDisplayName < / key >
< string > Test Profile < / string >
< key > PayloadContent < / key >
< array >
< dict >
< key > ComputerName < / key >
< string > StaticValue < / string >
< / dict >
< / array >
< / dict >
< / plist > `
2025-09-04 16:39:41 +00:00
vars , err = validateConfigProfileFleetVariables ( profileNoVars , freeLic , & fleet . GroupedCertificateAuthorities { } )
2025-08-11 12:47:55 +00:00
require . NoError ( t , err )
require . Empty ( t , vars )
}
2025-03-19 13:27:55 +00:00
func TestValidateConfigProfileFleetVariables ( t * testing . T ) {
t . Parallel ( )
2025-09-04 16:39:41 +00:00
groupedCAs := & fleet . GroupedCertificateAuthorities {
DigiCert : [ ] fleet . DigiCertCA {
newMockDigicertCA ( "https://example.com" , "caName" ) ,
newMockDigicertCA ( "https://example.com" , "caName2" ) ,
} ,
CustomScepProxy : [ ] fleet . CustomSCEPProxyCA {
newMockCustomSCEPProxyCA ( "https://example.com" , "scepName" ) ,
newMockCustomSCEPProxyCA ( "https://example.com" , "scepName2" ) ,
2025-03-19 13:27:55 +00:00
} ,
}
cases := [ ] struct {
name string
profile string
errMsg string
2025-04-30 20:03:23 +00:00
vars [ ] string
2025-03-19 13:27:55 +00:00
} {
{
name : "DigiCert badCA" ,
profile : digiCertForValidation ( "$FLEET_VAR_DIGICERT_PASSWORD_bad" , "$FLEET_VAR_DIGICERT_DATA_bad" , "Name" ,
"com.apple.security.pkcs12" ) ,
errMsg : "_bad is not supported in configuration profiles" ,
} ,
{
name : "DigiCert password missing" ,
profile : digiCertForValidation ( "password" , "$FLEET_VAR_DIGICERT_DATA_caName" , "Name" , "com.apple.security.pkcs12" ) ,
errMsg : "Missing $FLEET_VAR_DIGICERT_PASSWORD_caName" ,
} ,
{
name : "DigiCert data missing" ,
profile : digiCertForValidation ( "$FLEET_VAR_DIGICERT_PASSWORD_caName" , "data" , "Name" ,
"com.apple.security.pkcs12" ) ,
errMsg : "Missing $FLEET_VAR_DIGICERT_DATA_caName" ,
} ,
{
name : "DigiCert password and data CA names don't match" ,
profile : digiCertForValidation ( "$FLEET_VAR_DIGICERT_PASSWORD_caName" , "$FLEET_VAR_DIGICERT_DATA_caName2" , "Name" ,
"com.apple.security.pkcs12" ) ,
errMsg : "Missing $FLEET_VAR_DIGICERT_DATA_caName in the profile" ,
} ,
{
name : "DigiCert password shows up an extra time" ,
profile : digiCertForValidation ( "$FLEET_VAR_DIGICERT_PASSWORD_caName" , "$FLEET_VAR_DIGICERT_DATA_caName" ,
"$FLEET_VAR_DIGICERT_PASSWORD_caName" ,
"com.apple.security.pkcs12" ) ,
errMsg : "$FLEET_VAR_DIGICERT_PASSWORD_caName is already present in configuration profile" ,
} ,
{
name : "DigiCert data shows up an extra time" ,
profile : digiCertForValidation ( "$FLEET_VAR_DIGICERT_PASSWORD_caName" , "$FLEET_VAR_DIGICERT_DATA_caName" ,
"$FLEET_VAR_DIGICERT_DATA_caName" ,
"com.apple.security.pkcs12" ) ,
errMsg : "$FLEET_VAR_DIGICERT_DATA_caName is already present in configuration profile" ,
} ,
{
name : "DigiCert profile is not pkcs12" ,
profile : digiCertForValidation ( "$FLEET_VAR_DIGICERT_PASSWORD_caName" , "$FLEET_VAR_DIGICERT_DATA_caName" , "Name" ,
"com.apple.security.pkcs13" ) ,
2025-03-28 20:30:11 +00:00
errMsg : "Variables $FLEET_VAR_DIGICERT_PASSWORD_caName and $FLEET_VAR_DIGICERT_DATA_caName can only be included in the 'com.apple.security.pkcs12' payload" ,
2025-03-19 13:27:55 +00:00
} ,
{
name : "DigiCert password is not a fleet variable" ,
profile : digiCertForValidation ( "x$FLEET_VAR_DIGICERT_PASSWORD_caName" , "${FLEET_VAR_DIGICERT_DATA_caName}" , "Name" ,
"com.apple.security.pkcs12" ) ,
2025-03-28 20:30:11 +00:00
errMsg : "included in the 'com.apple.security.pkcs12' payload under Password and PayloadContent, respectively" ,
2025-03-19 13:27:55 +00:00
} ,
{
name : "DigiCert data is not a fleet variable" ,
profile : digiCertForValidation ( "${FLEET_VAR_DIGICERT_PASSWORD_caName}" , "x${FLEET_VAR_DIGICERT_DATA_caName}" , "Name" ,
"com.apple.security.pkcs12" ) ,
errMsg : "Failed to parse PKCS12 payload with Fleet variables" ,
} ,
{
name : "DigiCert happy path" ,
profile : digiCertForValidation ( "${FLEET_VAR_DIGICERT_PASSWORD_caName}" , "${FLEET_VAR_DIGICERT_DATA_caName}" , "Name" ,
"com.apple.security.pkcs12" ) ,
errMsg : "" ,
2025-04-30 20:03:23 +00:00
vars : [ ] string { "DIGICERT_PASSWORD_caName" , "DIGICERT_DATA_caName" } ,
2025-03-19 13:27:55 +00:00
} ,
{
name : "DigiCert 2 profiles with swapped variables" ,
profile : digiCertForValidation2 ( "${FLEET_VAR_DIGICERT_PASSWORD_caName}" , "${FLEET_VAR_DIGICERT_DATA_caName2}" ,
"$FLEET_VAR_DIGICERT_PASSWORD_caName2" , "$FLEET_VAR_DIGICERT_DATA_caName" ) ,
2025-03-28 19:27:50 +00:00
errMsg : "CA name mismatch between $FLEET_VAR_DIGICERT_PASSWORD_caName" ,
2025-03-19 13:27:55 +00:00
} ,
{
name : "DigiCert 2 profiles happy path" ,
profile : digiCertForValidation2 ( "${FLEET_VAR_DIGICERT_PASSWORD_caName}" , "${FLEET_VAR_DIGICERT_DATA_caName}" ,
"$FLEET_VAR_DIGICERT_PASSWORD_caName2" , "$FLEET_VAR_DIGICERT_DATA_caName2" ) ,
errMsg : "" ,
2025-04-30 20:03:23 +00:00
vars : [ ] string { "DIGICERT_PASSWORD_caName" , "DIGICERT_DATA_caName" , "DIGICERT_PASSWORD_caName2" , "DIGICERT_DATA_caName2" } ,
2025-03-19 13:27:55 +00:00
} ,
{
name : "Custom SCEP badCA" ,
profile : customSCEPForValidation ( "$FLEET_VAR_CUSTOM_SCEP_CHALLENGE_bad" , "$FLEET_VAR_CUSTOM_SCEP_PROXY_URL_bad" , "Name" ,
"com.apple.security.scep" ) ,
errMsg : "_bad is not supported in configuration profiles" ,
} ,
{
name : "Custom SCEP challenge missing" ,
profile : customSCEPForValidation ( "challenge" , "$FLEET_VAR_CUSTOM_SCEP_PROXY_URL_scepName" , "Name" , "com.apple.security.scep" ) ,
2025-04-30 19:31:45 +00:00
errMsg : "SCEP profile for custom SCEP certificate authority requires: $FLEET_VAR_CUSTOM_SCEP_CHALLENGE_<CA_NAME>, $FLEET_VAR_CUSTOM_SCEP_PROXY_URL_<CA_NAME>, and $FLEET_VAR_SCEP_RENEWAL_ID variables." ,
2025-03-19 13:27:55 +00:00
} ,
{
name : "Custom SCEP url missing" ,
profile : customSCEPForValidation ( "$FLEET_VAR_CUSTOM_SCEP_CHALLENGE_scepName" , "https://bozo.com" , "Name" ,
"com.apple.security.scep" ) ,
2025-04-30 19:31:45 +00:00
errMsg : "SCEP profile for custom SCEP certificate authority requires: $FLEET_VAR_CUSTOM_SCEP_CHALLENGE_<CA_NAME>, $FLEET_VAR_CUSTOM_SCEP_PROXY_URL_<CA_NAME>, and $FLEET_VAR_SCEP_RENEWAL_ID variables." ,
2025-03-19 13:27:55 +00:00
} ,
{
name : "Custom SCEP challenge and url CA names don't match" ,
profile : customSCEPForValidation ( "$FLEET_VAR_CUSTOM_SCEP_CHALLENGE_scepName" , "$FLEET_VAR_CUSTOM_SCEP_PROXY_URL_scepName2" ,
"Name" , "com.apple.security.scep" ) ,
errMsg : "Missing $FLEET_VAR_CUSTOM_SCEP_PROXY_URL_scepName in the profile" ,
} ,
{
name : "Custom SCEP challenge shows up an extra time" ,
profile : customSCEPForValidation ( "$FLEET_VAR_CUSTOM_SCEP_CHALLENGE_scepName" , "$FLEET_VAR_CUSTOM_SCEP_PROXY_URL_scepName" ,
"$FLEET_VAR_CUSTOM_SCEP_CHALLENGE_scepName" ,
"com.apple.security.scep" ) ,
errMsg : "$FLEET_VAR_CUSTOM_SCEP_CHALLENGE_scepName is already present in configuration profile" ,
} ,
{
name : "Custom SCEP url shows up an extra time" ,
profile : customSCEPForValidation ( "$FLEET_VAR_CUSTOM_SCEP_CHALLENGE_scepName" , "$FLEET_VAR_CUSTOM_SCEP_PROXY_URL_scepName" ,
"$FLEET_VAR_CUSTOM_SCEP_PROXY_URL_scepName" ,
"com.apple.security.scep" ) ,
errMsg : "$FLEET_VAR_CUSTOM_SCEP_PROXY_URL_scepName is already present in configuration profile" ,
} ,
2025-04-30 19:31:45 +00:00
{
name : "Custom SCEP renewal ID shows up in the wrong place" ,
2025-05-01 17:16:45 +00:00
profile : customSCEPForValidationWithoutRenewalID ( "$FLEET_VAR_CUSTOM_SCEP_CHALLENGE_scepName" , "$FLEET_VAR_CUSTOM_SCEP_PROXY_URL_scepName" ,
2025-04-30 19:31:45 +00:00
"$FLEET_VAR_SCEP_RENEWAL_ID" ,
"com.apple.security.scep" ) ,
2025-05-01 17:16:45 +00:00
errMsg : "Variable $FLEET_VAR_SCEP_RENEWAL_ID must be in the SCEP certificate's common name (CN)." ,
2025-04-30 19:31:45 +00:00
} ,
2025-03-19 13:27:55 +00:00
{
name : "Custom SCEP profile is not scep" ,
profile : customSCEPForValidation ( "$FLEET_VAR_CUSTOM_SCEP_CHALLENGE_scepName" , "$FLEET_VAR_CUSTOM_SCEP_PROXY_URL_scepName" ,
"Name" , "com.apple.security.SCEP" ) ,
2025-05-01 19:40:06 +00:00
errMsg : fleet . SCEPVariablesNotInSCEPPayloadErrMsg ,
2025-03-19 13:27:55 +00:00
} ,
{
name : "Custom SCEP challenge is not a fleet variable" ,
profile : customSCEPForValidation ( "x$FLEET_VAR_CUSTOM_SCEP_CHALLENGE_scepName" , "${FLEET_VAR_CUSTOM_SCEP_PROXY_URL_scepName}" ,
"Name" , "com.apple.security.scep" ) ,
2025-05-09 17:10:27 +00:00
errMsg : "must be in the SCEP certificate's \"Challenge\" field" ,
2025-03-19 13:27:55 +00:00
} ,
{
name : "Custom SCEP url is not a fleet variable" ,
profile : customSCEPForValidation ( "${FLEET_VAR_CUSTOM_SCEP_CHALLENGE_scepName}" , "x${FLEET_VAR_CUSTOM_SCEP_PROXY_URL_scepName}" ,
"Name" , "com.apple.security.scep" ) ,
2025-05-09 17:10:27 +00:00
errMsg : "must be in the SCEP certificate's \"URL\" field" ,
2025-03-19 13:27:55 +00:00
} ,
{
name : "Custom SCEP happy path" ,
profile : customSCEPForValidation ( "${FLEET_VAR_CUSTOM_SCEP_CHALLENGE_scepName}" , "${FLEET_VAR_CUSTOM_SCEP_PROXY_URL_scepName}" ,
"Name" , "com.apple.security.scep" ) ,
errMsg : "" ,
2025-04-30 20:03:23 +00:00
vars : [ ] string { "CUSTOM_SCEP_CHALLENGE_scepName" , "CUSTOM_SCEP_PROXY_URL_scepName" , "SCEP_RENEWAL_ID" } ,
2025-03-19 13:27:55 +00:00
} ,
{
name : "Custom SCEP 2 profiles with swapped variables" ,
profile : customSCEPForValidation2 ( "${FLEET_VAR_CUSTOM_SCEP_CHALLENGE_scepName2}" , "${FLEET_VAR_CUSTOM_SCEP_PROXY_URL_scepName}" ,
"$FLEET_VAR_CUSTOM_SCEP_CHALLENGE_scepName" , "$FLEET_VAR_CUSTOM_SCEP_PROXY_URL_scepName2" ) ,
2025-05-01 19:40:06 +00:00
errMsg : fleet . MultipleSCEPPayloadsErrMsg ,
2025-03-19 13:27:55 +00:00
} ,
2025-04-30 19:31:45 +00:00
{
name : "Custom SCEP 2 valid profiles should error" ,
profile : customSCEPForValidation2 ( "${FLEET_VAR_CUSTOM_SCEP_CHALLENGE_scepName}" , "${FLEET_VAR_CUSTOM_SCEP_PROXY_URL_scepName}" ,
2025-05-01 17:16:45 +00:00
"challenge" , "http://example2.com" ) ,
2025-05-01 19:40:06 +00:00
errMsg : fleet . MultipleSCEPPayloadsErrMsg ,
2025-04-30 19:31:45 +00:00
} ,
2025-03-19 13:27:55 +00:00
{
name : "Custom SCEP and DigiCert profiles happy path" ,
2025-05-01 19:40:06 +00:00
profile : customSCEPDigiCertForValidation ( "${FLEET_VAR_CUSTOM_SCEP_CHALLENGE_scepName}" , "${FLEET_VAR_CUSTOM_SCEP_PROXY_URL_scepName}" ) ,
2025-03-19 13:27:55 +00:00
errMsg : "" ,
2025-04-30 20:03:23 +00:00
vars : [ ] string { "DIGICERT_PASSWORD_caName" , "DIGICERT_DATA_caName" , "CUSTOM_SCEP_CHALLENGE_scepName" , "CUSTOM_SCEP_PROXY_URL_scepName" , "SCEP_RENEWAL_ID" } ,
2025-03-19 13:27:55 +00:00
} ,
2025-04-22 13:09:00 +00:00
{
name : "Custom profile with IdP variables and unknown variable" ,
profile : customProfileForValidation ( "$FLEET_VAR_HOST_END_USER_IDP_NO_SUCH_VAR" ) ,
errMsg : "Fleet variable $FLEET_VAR_HOST_END_USER_IDP_NO_SUCH_VAR is not supported in configuration profiles." ,
} ,
{
name : "Custom profile with IdP variables happy path" ,
profile : customProfileForValidation ( "value" ) ,
errMsg : "" ,
2025-06-29 18:23:03 +00:00
vars : [ ] string {
"HOST_END_USER_IDP_USERNAME" ,
"HOST_END_USER_IDP_USERNAME_LOCAL_PART" ,
"HOST_END_USER_IDP_GROUPS" ,
"HOST_END_USER_IDP_DEPARTMENT" ,
} ,
2025-04-22 13:09:00 +00:00
} ,
2025-05-01 19:40:06 +00:00
{
name : "Custom SCEP and NDES 2 valid profiles should error" ,
profile : customSCEPForValidation2 ( "${FLEET_VAR_CUSTOM_SCEP_CHALLENGE_scepName}" , "${FLEET_VAR_CUSTOM_SCEP_PROXY_URL_scepName}" ,
"$FLEET_VAR_NDES_SCEP_CHALLENGE" , "$FLEET_VAR_NDES_SCEP_PROXY_URL" ) ,
errMsg : fleet . MultipleSCEPPayloadsErrMsg ,
} ,
{
name : "NDES challenge missing" ,
profile : customSCEPForValidation ( "challenge" , "$FLEET_VAR_NDES_SCEP_PROXY_URL" , "Name" , "com.apple.security.scep" ) ,
errMsg : fleet . NDESSCEPVariablesMissingErrMsg ,
} ,
{
name : "NDES url missing" ,
profile : customSCEPForValidation ( "$FLEET_VAR_NDES_SCEP_CHALLENGE" , "https://bozo.com" , "Name" ,
"com.apple.security.scep" ) ,
errMsg : fleet . NDESSCEPVariablesMissingErrMsg ,
} ,
{
name : "NDES challenge shows up an extra time" ,
profile : customSCEPForValidation ( "$FLEET_VAR_NDES_SCEP_CHALLENGE" , "$FLEET_VAR_NDES_SCEP_PROXY_URL" ,
"$FLEET_VAR_NDES_SCEP_CHALLENGE" ,
"com.apple.security.scep" ) ,
errMsg : "$FLEET_VAR_NDES_SCEP_CHALLENGE is already present in configuration profile" ,
} ,
{
name : "NDES url shows up an extra time" ,
profile : customSCEPForValidation ( "$FLEET_VAR_NDES_SCEP_CHALLENGE" , "$FLEET_VAR_NDES_SCEP_PROXY_URL" ,
"$FLEET_VAR_NDES_SCEP_PROXY_URL" ,
"com.apple.security.scep" ) ,
errMsg : "$FLEET_VAR_NDES_SCEP_PROXY_URL is already present in configuration profile" ,
} ,
{
name : "NDES renewal ID shows up in the wrong place" ,
profile : customSCEPForValidationWithoutRenewalID ( "$FLEET_VAR_NDES_SCEP_CHALLENGE" , "$FLEET_VAR_NDES_SCEP_PROXY_URL" ,
"$FLEET_VAR_SCEP_RENEWAL_ID" ,
"com.apple.security.scep" ) ,
errMsg : "Variable $FLEET_VAR_SCEP_RENEWAL_ID must be in the SCEP certificate's common name (CN)." ,
} ,
{
name : "NDES profile is not scep" ,
profile : customSCEPForValidation ( "$FLEET_VAR_NDES_SCEP_CHALLENGE" , "$FLEET_VAR_NDES_SCEP_PROXY_URL" ,
"Name" , "com.apple.security.SCEP" ) ,
errMsg : fleet . SCEPVariablesNotInSCEPPayloadErrMsg ,
} ,
{
name : "NDES challenge is not a fleet variable" ,
profile : customSCEPForValidation ( "x$FLEET_VAR_NDES_SCEP_CHALLENGE" , "${FLEET_VAR_NDES_SCEP_PROXY_URL}" ,
"Name" , "com.apple.security.scep" ) ,
2025-05-09 17:10:27 +00:00
errMsg : "Variable \"$FLEET_VAR_NDES_SCEP_CHALLENGE\" must be in the SCEP certificate's \"Challenge\" field." ,
2025-05-01 19:40:06 +00:00
} ,
{
name : "NDES url is not a fleet variable" ,
profile : customSCEPForValidation ( "${FLEET_VAR_NDES_SCEP_CHALLENGE}" , "x${FLEET_VAR_NDES_SCEP_PROXY_URL}" ,
"Name" , "com.apple.security.scep" ) ,
2025-05-09 17:10:27 +00:00
errMsg : "Variable \"$FLEET_VAR_NDES_SCEP_PROXY_URL\" must be in the SCEP certificate's \"URL\" field." ,
2025-05-01 19:40:06 +00:00
} ,
{
name : "SCEP renewal ID without other variables" ,
profile : customSCEPForValidation ( "challenge" , "url" ,
"Name" , "com.apple.security.scep" ) ,
errMsg : fleet . SCEPRenewalIDWithoutURLChallengeErrMsg ,
} ,
{
name : "NDES happy path" ,
profile : customSCEPForValidation ( "${FLEET_VAR_NDES_SCEP_CHALLENGE}" , "${FLEET_VAR_NDES_SCEP_PROXY_URL}" ,
"Name" , "com.apple.security.scep" ) ,
errMsg : "" ,
vars : [ ] string { "NDES_SCEP_CHALLENGE" , "NDES_SCEP_PROXY_URL" , "SCEP_RENEWAL_ID" } ,
} ,
{
name : "NDES 2 valid profiles should error" ,
profile : customSCEPForValidation2 ( "${FLEET_VAR_NDES_SCEP_CHALLENGE}" , "${FLEET_VAR_NDES_SCEP_PROXY_URL}" ,
"challenge" , "http://example2.com" ) ,
errMsg : fleet . MultipleSCEPPayloadsErrMsg ,
} ,
{
name : "NDES and DigiCert profiles happy path" ,
profile : customSCEPDigiCertForValidation ( "${FLEET_VAR_NDES_SCEP_CHALLENGE}" , "${FLEET_VAR_NDES_SCEP_PROXY_URL}" ) ,
errMsg : "" ,
2025-05-09 18:18:48 +00:00
vars : [ ] string {
"DIGICERT_PASSWORD_caName" , "DIGICERT_DATA_caName" , "NDES_SCEP_CHALLENGE" , "NDES_SCEP_PROXY_URL" ,
"SCEP_RENEWAL_ID" ,
} ,
2025-05-01 19:40:06 +00:00
} ,
2025-08-26 15:55:58 +00:00
{
name : "Custom profile with IdP full name var" ,
profile : string ( scopedMobileconfigForTest (
"FullName Var" ,
"com.example.fullname" ,
nil ,
"HOST_END_USER_IDP_FULL_NAME" , // will be prefixed to $FLEET_VAR_ by helper
) ) ,
errMsg : "" ,
vars : [ ] string { "HOST_END_USER_IDP_FULL_NAME" } ,
} ,
2025-03-19 13:27:55 +00:00
}
for _ , tc := range cases {
t . Run ( tc . name , func ( t * testing . T ) {
2025-08-11 12:47:55 +00:00
// Pass a premium license for testing (we're not testing license validation here)
premiumLic := & fleet . LicenseInfo { Tier : fleet . TierPremium }
2025-09-04 16:39:41 +00:00
vars , err := validateConfigProfileFleetVariables ( tc . profile , premiumLic , groupedCAs )
2025-03-19 13:27:55 +00:00
if tc . errMsg != "" {
assert . ErrorContains ( t , err , tc . errMsg )
2025-04-30 20:03:23 +00:00
assert . Empty ( t , vars )
2025-03-19 13:27:55 +00:00
} else {
assert . NoError ( t , err )
2025-04-30 20:03:23 +00:00
gotVars := make ( [ ] string , 0 , len ( vars ) )
for v := range vars {
gotVars = append ( gotVars , v )
}
assert . ElementsMatch ( t , tc . vars , gotVars )
2025-03-19 13:27:55 +00:00
}
} )
}
}
//go:embed testdata/profiles/digicert-validation.mobileconfig
var digiCertValidationMobileconfig string
func digiCertForValidation ( password , data , name , payloadType string ) string {
return fmt . Sprintf ( digiCertValidationMobileconfig , password , data , name , payloadType )
}
//go:embed testdata/profiles/digicert-validation2.mobileconfig
var digiCertValidation2Mobileconfig string
func digiCertForValidation2 ( password1 , data1 , password2 , data2 string ) string {
return fmt . Sprintf ( digiCertValidation2Mobileconfig , password1 , data1 , password2 , data2 )
}
//go:embed testdata/profiles/custom-scep-validation.mobileconfig
var customSCEPValidationMobileconfig string
func customSCEPForValidation ( challenge , url , name , payloadType string ) string {
return fmt . Sprintf ( customSCEPValidationMobileconfig , challenge , url , name , payloadType )
}
2025-05-01 17:16:45 +00:00
func customSCEPForValidationWithoutRenewalID ( challenge , url , name , payloadType string ) string {
configProfile := strings . ReplaceAll ( customSCEPValidationMobileconfig , "$FLEET_VAR_SCEP_RENEWAL_ID" , "" )
return fmt . Sprintf ( configProfile , challenge , url , name , payloadType )
}
2025-03-19 13:27:55 +00:00
//go:embed testdata/profiles/custom-scep-validation2.mobileconfig
var customSCEPValidation2Mobileconfig string
func customSCEPForValidation2 ( challenge1 , url1 , challenge2 , url2 string ) string {
return fmt . Sprintf ( customSCEPValidation2Mobileconfig , challenge1 , url1 , challenge2 , url2 )
}
//go:embed testdata/profiles/custom-scep-digicert-validation.mobileconfig
var customSCEPDigiCertValidationMobileconfig string
2025-04-22 13:09:00 +00:00
2025-05-01 19:40:06 +00:00
func customSCEPDigiCertForValidation ( challenge , url string ) string {
return fmt . Sprintf ( customSCEPDigiCertValidationMobileconfig , challenge , url )
}
2025-04-22 13:09:00 +00:00
//go:embed testdata/profiles/custom-profile-validation.mobileconfig
var customProfileValidationMobileconfig string
func customProfileForValidation ( value string ) string {
return fmt . Sprintf ( customProfileValidationMobileconfig , value )
}
